在現有keyvault中創建KeyVault祕密

Question

在ARM模板中，我想在預先存在的KeyVault中編寫一個祕密 - 我還沒有將其創建爲當前模板的一部分。

我使用此代碼

{ 
     "dependsOn": [ 
      "/subscriptions/<my-subscription-id>/resourceGroups/<my-resource-group>/providers/Microsoft.KeyVault/vaults/keyvaulttest" 
     ], 
     "type": "Microsoft.KeyVault/vaults/secrets", 
     "name": "keyvaulttest/test", 
     "apiVersion": "2015-06-01", 
     "tags": { 
      "displayName": "secret" 
     }, 
     "properties": { 
      "value": "value1" 
     } 
    } 

部署過程我得到以下異常（在dependsOn項目）

部署模板驗證失敗：「資源 」 Microsoft.KeyVault/vaults/keyvaulttest'未在 模板中定義。請參閱https://aka.ms/arm-template瞭解使用細節。'。 （代碼：InvalidTemplate）

我也試着用這種替換dependsOn值（獲取資源ID動態），但我得到了同樣的異常

[resourceId('<resourceGroup>','Microsoft.KeyVault/vaults','keyvaulttest')] 

任何其他方式我可以用來從ARM模板中保存密鑰中的密鑰？

Answer 1

您需要將資源Microsoft.KeyVault/vaults添加到您的模板。當您創建密鑰保管庫時，它將使用您的密鑰保管庫不創建新的密鑰保管庫。以下模板適用於我。

"resources": [ 
    { 
     "type": "Microsoft.KeyVault/vaults", 
     "name": "shui", 
     "apiVersion": "2015-06-01", 
     "location": "[resourceGroup().location]", 
     "properties": { 
     "sku": { 
     "family": "A", 
     "name": "Standard" 
     }, 
     "tenantId": "[subscription().tenantId]", 
     "accessPolicies": [ 
     { 
     "tenantId": "[subscription().tenantId]", 
     "objectId": "<your Azure account objectID>", 
     "permissions": { 
      "keys": [ "All" ], 
      "secrets": [ "All" ] 
     } 
     } 
    ] 
    } 
}, 
     { 
     "type": "Microsoft.KeyVault/vaults/secrets", 
     "name": "shui/SomeSecret", 
     "apiVersion": "2015-06-01", 
     "properties": { 
     "contentType": "text/plain", 
     "value": "ThisIpsemIsSecret" 
    }, 
     "dependsOn": [ 
      "[resourceId('Microsoft.KeyVault/vaults', 'shui')]" 
      ] 
     } 

    ] 

此博客(Add secrets to your Azure Key Vault using ARM templates) 會有所幫助。

您可以在Azure Portal上找到您的密鑰庫json文件。

將資源"type": "Microsoft.KeyVault/vaults/secrets",添加到json文件中。以下是我用來添加祕密的cmdlet，它適用於我。

PS C:\Users\v-shshui> New-AzureRmResourceGroupDeployment -Name shuitest -ResourceGroupName shui -TemplateFile "D:\vault.json" 

cmdlet New-AzureRmResourceGroupDeployment at command pipeline position 1 
Supply values for the following parameters: 
(Type !? for Help.) 
keyVaultName: shui 


DeploymentName   : shuitest 
ResourceGroupName  : shui 
ProvisioningState  : Succeeded 
Timestamp    : 6/16/2017 3:15:27 AM 
Mode     : Incremental 
TemplateLink   : 
Parameters    : 
          Name    Type      Value 
          =============== ========================= ========== 
          keyVaultName  String      shui 

Outputs     : 
DeploymentDebugLogLevel :