问题描述
我有提供Data Lake的ARM模板,我想将其秘密存储在密钥库中。 我假设我应该像这样在ARM,JSON中使用输出部分,但是如何将其存储在已经存在的(!)Key Vault中?
"outputs": {
"storageAccountName": {
"type": "string","value": "[variables('storageAccountName')]"
},"storageAccountConnectionString": {
"type": "string","value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'),';AccountKey=',listKeys(variables('storageAccountResourceId'),variables('storageAccountApiVersion')).keys[0].value)]"
}
}
解决方法
您可以使用ARM模板将值添加到Key Vault,也可以在ARM模板中从中读取值。
在 resource下面为每个密钥库机密添加:
{
"type": "Microsoft.KeyVault/vaults/secrets","location": "[parameters('location')]","name": "[concat(parameters('keyVaultName'),'/','api','--storageAccountConnectionString')]","apiVersion": "parameters('apiVersion')","dependsOn": [
"[variables('keyVaultResourceId')]","[variables('serviceBusResourceId')]"
],"properties": {
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'),';AccountKey=',listKeys(variables('storageAccountResourceId'),variables('storageAccountApiVersion')).keys[0].value)]","contentType": "text/plain"
}
},在部署后通过ARM模板中的参数值阅读此秘密:
"storageAccountConnectionString": {
"reference": {
"keyVault": {
"id": "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.KeyVault/vaults/KEY_VAULT_NAME"
},"secretName": "api--storageAccountConnectionString"
}
},