我有一个ARM模板,用于创建存储帐户和密钥库:
...
{
"apiVersion": "2019-04-01",
"type": "Microsoft.Storage/storageAccounts",
"name": "mystorageaccountname",
"location": "canadacentral",
"sku": {
"name": "Standard_LRS"
},
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": true
}
}
...
...
{
"apiVersion": "2019-09-01",
"type": "Microsoft.KeyVault/vaults",
"name": "mykeyvault",
"location": "canadacentral",
"properties": {
"tenantId": "[subscription().tenantId]",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": []
}
}
...
我想让我的密钥保管库管理存储帐户。不幸的是,到目前为止,我发现的例子都是Powershell脚本。
在ARM模板文档中,我不清楚如何实现这样的东西。
问题
如何在ARM模板中配置密钥保管库以管理存储帐户?
直到一段时间前,还不可能做这样的事情,因为ARM模板不支持直接从它们创建Azure KV密钥。最近发布了一个更新,它终于可以使用了:
{
"type": "Microsoft.KeyVault/vaults/keys",
"name": "[concat(parameters('vaultName'), '/', parameters('keyName'))]",
"apiVersion": "2019-09-01",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.KeyVault/vaults', parameters('vaultName'))]"
],
"properties": {
"kty": "[parameters('keyType')]",
"keyOps": "[parameters('keyOps')]",
"keySize": "[if(equals(parameters('keySize'), -1), json('null'), parameters('keySize'))]",
"curveName": "[parameters('curveName')]"
}
}
你可以在这里看到完整的例子-https://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-template?tabs=CLI.有了它,您就可以直接引用存储帐户密钥值并将其放入Azure密钥库。你可以尝试使用这种结构:
[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]