从 ARM 模板中的 Azure 密钥保管库获取最新版本的证书 [英] Get the latest version of a certificate from an Azure key vault in an ARM template
问题描述
创建需要安装位于 Azure 密钥保管库内的 SSL 证书的 ARM 模板.如果我用指纹指定证书,它工作正常:
https://contoso.vault.azure.net/secrets/web01-test-contoso-com/968bf207451149d3aceb390065af9d3a
但由于证书是在滴答作响的时钟上,这会将可能会过时的依赖项硬编码到 ARM 模板中.我宁愿只指定最新版本(就像它在门户中显示的那样).但是,我还没有找到任何说明如何做到这一点的文档,甚至没有提到可能的情况.
我使用以下方法进行了几次实验:
https://contoso.vault.azure.net/secrets/web01-test-contoso-com
和
https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest
但在这两种情况下,我都收到了相同的错误消息:
message '{错误": {"code": "无效参数",消息":https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest 是不是有效的版本化 Key Vault Secret URL.应该是格式https:///secrets//.",目标":证书网址"}}'
所以我的问题是:如何以获取最新版本的方式引用证书?
为清楚起见,我将 ARM 模板的 secrets
部分中的 URL 用于 VM,如下所示,它从 Azure 密钥保管库获取证书并将其安装到 Windows 证书存储中.
秘密":[{源库":{"id": "[resourceId(parameters('keyVaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"},保险库证书":[{"certificateUrl": "https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest",证书商店":我的"}]}]
<块引用>
注意:我觉得奇怪的是,您可以指定要安装的操作系统的最新版本,但不能指定安装最新版本的证书.
这是可能的,与接受的答案所说的相反.像这样用secret的资源id定义变量,例如:
"mySecretResourceId": "[concat(resourceGroup().id,'/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'), '/secrets/', '我的秘密名称')]"
然后你可以在你的模板中使用它,如下所示:
"certificateUrl": "[reference(variables('mySecretResourceId'), '2018-02-14').secretUriWithVersion]"
Creating an ARM template that needs to install an SSL certificate that is located inside of an Azure key vault. If I specify the certificate with the thumbprint, it works fine:
https://contoso.vault.azure.net/secrets/web01-test-contoso-com/968bf207451149d3aceb390065af9d3a
But as a certificate is on a ticking clock, this hard-codes a dependency that can go stale into the ARM template. I would rather just specify the latest version (like it shows in the portal). However, I haven't found any documentation that shows how to do that or even mentions if it is possible.
I ran a couple of experiments using:
https://contoso.vault.azure.net/secrets/web01-test-contoso-com
and
https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest
But in both cases, I got the same error message:
message '{
"error": {
"code": "InvalidParameter",
"message": "https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest is
not a valid versioned Key Vault Secret URL. It should be in the format
https://<vaultEndpoint>/secrets/<secretName>/<secretVersion>.",
"target": "certificateUrl"
}
}'
So my question is: How can I reference the certificate in a way that I get the latest version?
For clarity, I am using the URL in the secrets
section of the ARM template for a VM as follows, which gets the certificate from the Azure key vault and installs it into the Windows certificate store.
"secrets": [
{
"sourceVault": {
"id": "[resourceId(parameters('keyVaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
},
"vaultCertificates": [
{
"certificateUrl": "https://contoso.vault.azure.net/secrets/web01-test-contoso-com/latest",
"certificateStore": "My"
}
]
}
]
NOTE: I would find it odd that you can specify the latest version of an OS to install, but you cannot specify to install the latest version of a certificate.
It is possible, contrary to what accepted answer says . Define variable with secret's resource id like this, for example:
"mySecretResourceId": "[concat(resourceGroup().id,'/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'), '/secrets/', 'my-secret-name')]"
then you can use it in your template as following:
"certificateUrl": "[reference(variables('mySecretResourceId'), '2018-02-14').secretUriWithVersion]"
这篇关于从 ARM 模板中的 Azure 密钥保管库获取最新版本的证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!