部署中的密钥保管库值和链接模板参数 [英] Key vault values from deployment, and linked templates parameters
问题描述
我有一个模板来创建密钥保管库和其中的秘密.我还有一个服务结构模板,它需要 Key Vault 中的 3 个东西:Vault URI、证书 URL 和证书指纹.
I have a template to create a key vault and a secret within it. I also have a service fabric template, that requires 3 things from the key vault: the Vault URI, the certificate URL, and the certificate thumbprint.
如果我使用 powershell 创建密钥库和密钥,很容易从输出中手动复制这 3 项内容,并将它们粘贴到服务结构模板的参数中.但是,由于此证书与 Service Fabric 群集具有相同的生命周期,因此我希望做的是从 Key Vault 模板链接到 Service Fabric 模板,因此当我部署 Key Vault 和 Secret 时(顺便说一句,这是一个已被 base 64 编码为字符串的密钥.我可以将其作为另一个密钥库中的秘密...),我可以将 3 个值作为参数传递.
If I create the key vault and secret with powershell, it is easy to manually copy these 3 things from the output, and paste them into the parameters of the service fabric template. However, what I am hoping to do, due to the fact that this cert has the same life cycle as the service fabric cluster, is to link from the key vault template to the service fabric template, so when I deploy the key vault and secret (which btw is a key that has been base 64 encoded to a string. I could have this as a secret in yet another key vault...), I can pass the 3 values on as parameters.
所以我有两个问题.
如何检索 arm 模板中的 3 个值.Powershell 将它们输出为密钥保管库的ResourceId"、机密的Id"和机密的版本".我的尝试:
How do I retrieve the 3 values in the arm template. Powershell outputs them as 'ResourceId' of the key vault, 'Id' of the secret, and 'Version' of the secret. My attempt:
"sourceVaultValue": {
"value": "resourceId('Microsoft.KeyVault/vaults/', parameters('keyVaultName')"
},
"certificateThumbprint": {
"value": "[listKeys(resourceId('secrets', parameters('secretName')), '2015-06-01')"
},
"certificateUrlValue": { "value": "[concat('https://', parameters('keyVaultName'), '.vault.azure.net:443/secrets/', parameters('secretName'), resourceId('secrets', parameters('secretName')))]"
但是certificateUrlValue 不正确.您可以看到我尝试使用和不使用 listKeys,但似乎都不起作用......(指纹在 certUrl 本身内)
But the certificateUrlValue is incorrect. You can see I tried with and without listKeys, but neither seemed to work... (The thumbprint is within the certUrl itself)
- 如果我要获得正确的值,我想尝试将它们作为参数传递给下一个模板.有问题的模板比我想传递的 3 个参数多得多.那么是否有可能有一个 parametersLink 元素来链接到参数文件,以及一个仅用于这三个的参数元素?或者是否有一种预期的方式来做到这一点?
干杯
推荐答案
好的,当你回到键盘时试试这个...
Ok, try this when you get back to the keyboard...
1) 对于 uri,您可以使用如下输出:
1) for the uri, you can use an output like:
"secretUri": {
"type": "string",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('secretName'))).secretUri]"
}
对于#2,你不能混合和匹配链接和某些值,它是一个或另一个.
For #2, you cannot mix and match the link and some values, it's one or the other.
关于如何执行此操作的一些想法(这在一定程度上取决于您希望如何构建部署的其余部分)...
A couple thoughts on how you could do this (it depends a bit on how you want to structure the rest of your deployment)...
- 一种思考方式是不要嵌套 SF,而是将它们部署在同一个模板中,因为它们具有相同的生命周期
- 不是嵌套 SF 模板,而是嵌套 KV 模板并在 SF 模板中引用该部署的输出...
除此之外,我想不出任何优雅的东西——因为你想将动态"参数传递给嵌套部署,真正做到这一点的唯一方法是在链接后面动态写入参数文件或传递所有参数进入部署资源.
Aside from that I can't think of anything elegant - since you want to pass "dynamic" params to a nested deployment really the only way to do that is to dynamically write the param file behind the link or pass all the params into the deployment resource.
HTH - LMK 如果没有...
HTH - LMK if it doesn't...
这篇关于部署中的密钥保管库值和链接模板参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
