我希望有人可以帮助我解决这个问题。
我有 2 个资源组,每个资源组都有一个密钥保管库。如下
rg-test-shared
|-- keyvault kvshared
rg-test-platform
|-- keyvault kvplatform
现在我试图学习和实现的是如何在“rg-test-shared”中创建一个存储帐户在这个密钥库中创建一个秘密连接字符串,并在同一个密钥库中创建一个密钥并使用加密存储帐户这把钥匙。
到目前为止,一切正常。但我决定更进一步,并尝试创建第二个资源组,在该资源组rg-test-platform上我有第二个密钥保管库。这是作为我的二头肌模板中的一个模块运行的。所以我想在密钥库中创建密钥,rg-test-platform并使用相同的密钥,加密里面的存储帐户rg-test-shared,这只是为了学习如何使用模块和拆分代码逻辑,并将所有内容放在正确的位置。
在继续之前,这是我的代码:
模块rg-test-platoform
targetScope = 'resourceGroup'
param deploymentIdOne string = newGuid()
param deploymentIdTwo string = newGuid()
output deploymentIdOne string = '${deploymentIdOne}-${deploymentIdTwo}'
output deploymentIdTwo string = deploymentIdTwo
// Default values I'm using to test
param keyVaultApiName string
param managedIdentityNameTwo string
var keyVaultKeyPrefix = 'Key-'
param tenantCodes array
var keyVaultKeyPrefixTw = 'SecretPrefix'
resource keyvaultApi 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: keyVaultApiName
}
resource managedIdentityTwo 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: managedIdentityNameTwo
location: resourceGroup().location
}
resource keyVaultKeys 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = [for tenantCode in tenantCodes: {
name: '${keyvaultApi.name}/${keyVaultKeyPrefix}${toUpper(tenantCode)}'
properties: {
keySize: 2048
kty: 'RSA'
// storage key should only needs these operations
keyOps: [
'unwrapKey'
'wrapKey'
]
}
}]
resource accessPolicyApi 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
name: '${keyvaultApi.name}/add'
properties: {
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: managedIdentityTwo.properties.principalId
permissions: {
// minimum required permissions
keys: [
'get'
'unwrapKey'
'wrapKey'
]
}
}
]
}
}
// Store the connectionstrings in KV if specified
resource clientApiKeys 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [ for name in tenantCodes :{
name: '${keyvaultApi.name}/${name}${keyVaultKeyPrefixTw}'
properties: {
value: '${deploymentIdOne}-${deploymentIdTwo}'
}
}]
主模板rg-test-shared
targetScope = 'resourceGroup'
param deploymentIdOne string = newGuid()
param deploymentIdTwo string = newGuid()
output deploymentIdOne string = '${deploymentIdOne}-${deploymentIdTwo}'
output deploymentIdTwo string = deploymentIdTwo
// Default values I'm using to test
param keyVaultName string = 'XXXX' //<===== KEYVAULT NAME
param managedIdentityName string = 'rg-managed-identity'
param resourcegrouptenant string = 'XXXX' //<=== CHANGE TO PLATFORM RESOURCE GROUP IN DEV/TEST
param tenantCodes array = [
'min'
]
// I'm using prefix so I dont need to create additional arrays
var keyVaultKeyPrefix = 'Client-Key-'
var storagePrefix = 'sthrideveur'
// Get a reference to key vault
resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: keyVaultName
}
// Create a managed identity
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: managedIdentityName
location: resourceGroup().location
}
// Grant permissions to key vault
resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
name: '${keyVault.name}/add'
properties: {
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: managedIdentity.properties.principalId
permissions: {
// minimum required permissions
keys: [
'get'
'unwrapKey'
'wrapKey'
]
}
}
]
}
}
// Create key vault keys
resource keyVaultKeys 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = [for tenantCode in tenantCodes: {
name: '${keyVault.name}/${keyVaultKeyPrefix}${toUpper(tenantCode)}'
properties: {
keySize: 2048
kty: 'RSA'
// storage key should only needs these operations
keyOps: [
'unwrapKey'
'wrapKey'
]
}
}]
// Create storage accounts
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = [for tenantCode in tenantCodes: {
name: '${storagePrefix}${tenantCode}'
location: resourceGroup().location
kind: 'StorageV2'
sku: {
name: 'Standard_RAGRS'
}
// Assign the identity
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentity.id}': {}
}
}
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
identity: {
// specify which identity to use
userAssignedIdentity: managedIdentity.id
}
keySource: 'Microsoft.Keyvault'
keyvaultproperties: {
keyname: '${keyVaultKeyPrefix}${toUpper(tenantCode)}'
keyvaulturi: keyVault.properties.vaultUri
}
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
}
accessTier: 'Cool'
}
}]
// Store the connectionstrings in KV if specified
resource storageAccountConnectionStrings 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [ for (name, i) in tenantCodes :{
name: '${keyVault.name}/${storagePrefix}${name}'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storageAccount[i].name};AccountKey=${listKeys(storageAccount[i].id, storageAccount[i].apiVersion).keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}]
module clientKeyApi 'template2.bicep' = [for item in tenantCodes :{
name: '${item}'
scope: resourceGroup(resourcegrouptenant)
params: {
keyVaultApiName: 'XXXX'
managedIdentityNameTwo: 'rg-managed-identity-clients'
tenantCodes: tenantCodes
}
}]
有了这个我没有任何问题,当我尝试更新存储帐户资源以引用Key另一个资源组中的资源时,问题开始发生。
正如您在存储帐户中这一行的代码中看到的那样:
keySource: 'Microsoft.Keyvault'
keyvaultproperties: {
keyname: '${keyVaultKeyPrefix}${toUpper(tenantCode)}'
keyvaulturi: keyVault.properties.vaultUri
}
我希望加密寻找我在我的模块中创建的密钥,这个:
module clientKeyApi 'template2.bicep' = [for item in tenantCodes :{
name: '${item}'
scope: resourceGroup(resourcegrouptenant)
params: {
keyVaultApiName: 'XXXX'
managedIdentityNameTwo: 'rg-managed-identity-clients'
tenantCodes: tenantCodes
}
}]
我试图引用这个模块如下
keySource: 'Microsoft.Keyvault'
keyvaultproperties: {
keyname: '${keyVaultKeyPrefix}${toUpper(tenantCode)}'
keyvaulturi: clientKeyApi[0].name
}
但这是不对的,因为我无法访问保险库网址。
请我们提供任何帮助,因为我不知道如何引用该密钥库来检索该密钥并使用它来加密存储帐户。
如果您需要任何信息,请告诉我