ARM KeyVault访问策略有条件添加

编程问答 2022-08-12

问题描述

是否可以通过条件语句添加访问策略?基本上,如果环境==生产,我不想添加注册

我的模板中包含以下内容,但是如果环境是生产环境,我不希望添加名为foobarapplicationId的应用程序。我可以内联吗?还是需要单独的模板?将foobarapplicationId设置为空字符串会起作用吗?

    {
      "name": "[variables('keyvault-name')]","type": "Microsoft.keyvault/vaults","apiVersion": "2016-10-01","location": "[resourceGroup().location]","properties": {
        "tenantId": "[subscription().tenantId]","sku": {
          "family": "A","name": "standard"
        },"accesspolicies": [
          {
            "tenantId": "[subscription().tenantId]","objectId": "[parameters('keyvaultOwner')]","permissions": {
              "keys": [
                "all"
              ],"secrets": [
                "all"
              ],"certificates": [
                "all"
              ],"storage": [
              ]
            }
          },{
            "tenantId": "[subscription().tenantId]","objectId": "[parameters('foobarapplicationId')]","permissions": {
              "keys": [
                "get","wrapKey","unwrapKey","sign","verify","list"
              ],"secrets": [
                "get","certificates": [
                "get",

解决方法

这将是在单个访问策略中添加条件部分,该部分将采用如下环境参数:

 {
        "condition": "[not(equals(parameters('environment'),'PROD'))]"
        "tenantId": "[subscription().tenantId]","objectId": "[parameters('foobarApplicationId')]","permissions": {
          "keys": [
            "get","wrapKey","unwrapKey","sign","verify","list"
          ],"secrets": [
            "get","certificates": [
            "get","storage": [
          ]
        }
      }
, "condition" 中的

"accessPolicies" 似乎对我没有任何影响。它不会导致任何验证或部署错误,但即使条件评估为 false,也会添加访问策略。

我发现以下技巧更有效:对您的 if"objectId" 使用 "permissions" 子句,这样如果条件为假,您将分配一组空权限给空 GUID,有效地成为空操作。

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion": "1.0.0.0","variables": {
    "keyVaultNoPermissions": { },"keyVaultAppReadPermissions": {
      "keys": [ "get","list" ],"secrets": [ "get","certificates": [ "get","list" ]
    }
  },"resources": [
    // ...
    {
      "type": "Microsoft.KeyVault/vaults/accessPolicies","apiVersion": "2016-10-01","name": "[concat(parameters('keyVaultName'),'/add')]","location": "[resourceGroup().location]","dependsOn": [
        "[parameters('keyVaultName')]"
      ],"properties": {
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]","objectId": "[if(not(equals(parameters('environment'),'PROD')),parameters('foobarApplicationId'),'00000000-0000-0000-0000-000000000000')]","permissions": "[if(not(equals(parameters('environment'),variables('keyVaultAppReadPermissions'),variables('keyVaultNoPermissions'))]"
          }
        ]
      }
    }
  ]
}
arm-templateazure-keyvault