部署 Azure 托管应用程序时访问 Key Vault 机密Access Key Vault secret when deploying Azure Managed Applications

在部署过程中,需要将安全值(例如密码)作为参数传递时,可从 Azure 密钥保管库检索值。When you need to pass a secure value (like a password) as a parameter during deployment, you can retrieve the value from an Azure Key Vault. 若要在部署托管应用程序时访问 Key Vault,必须授予对设备资源提供程序服务主体的访问权限。To access the Key Vault when deploying Managed Applications, you must grant access to the Appliance Resource Provider service principal. 托管应用程序服务使用此标识来运行操作。The Managed Applications service uses this identity to run operations. 若要在部署过程中从密钥保管库成功检索某个值,服务主体必须能够访问密钥保管库。To successfully retrieve a value from a Key Vault during deployment, the service principal must be able to access the Key Vault.

本文介绍如何配置 Key Vault 以与托管应用程序一起使用。This article describes how to configure the Key Vault to work with Managed Applications.

启用模板部署Enable template deployment

  1. 在门户中,选择 Key Vault。In the portal, select your Key Vault.

  2. 选择“访问策略”。 Select Access policies.

    选择访问策略

  3. 选择“单击以显示高级访问策略” 。Select Click to show advanced access policies.

    显示高级访问策略

  4. 选择“启用对 Azure 资源管理器的访问以进行模板部署” 。Select Enable access to Azure Resource Manager for template deployment. 然后选择“保存” 。Then, select Save.

    启用模板部署

将服务添加为参与者Add service as contributor

  1. 选择“访问控制 (IAM)” 。Select Access control (IAM).

    选择访问控制

  2. 选择“添加角色分配” 。Select Add role assignment.

    选择“添加”

  3. 对角色选择“参与者” 。Select Contributor for the role. 搜索“设备资源提供程序” ,然后从可用选项中选择它。Search for Appliance Resource Provider and select it from the available options.

    搜索提供程序

  4. 选择“保存”。 Select Save.

引用 Key Vault 机密Reference Key Vault secret

若要将 Key Vault 中的机密传递给托管应用程序中的模板,必须使用链接模板或嵌套模板并在链接模板或嵌套模板的参数中引用 Key Vault。To pass a secret from a Key Vault to a template in your Managed Application, you must use a linked or nested template and reference the Key Vault in the parameters for the linked or nested template. 提供 Key Vault 的资源 ID 和机密名称。Provide the resource ID of the Key Vault and the name of the secret.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "The location where the resources will be deployed."
      }
    },
    "vaultName": {
      "type": "string",
      "metadata": {
        "description": "The name of the keyvault that contains the secret."
      }
    },
    "secretName": {
      "type": "string",
      "metadata": {
        "description": "The name of the secret."
      }
    },
    "vaultResourceGroupName": {
      "type": "string",
      "metadata": {
        "description": "The name of the resource group that contains the keyvault."
      }
    },
    "vaultSubscription": {
      "type": "string",
      "defaultValue": "[subscription().subscriptionId]",
      "metadata": {
        "description": "The name of the subscription that contains the keyvault."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2018-05-01",
      "name": "dynamicSecret",
      "properties": {
        "mode": "Incremental",
        "expressionEvaluationOptions": {
          "scope": "inner"
        },
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {
            "adminLogin": {
              "type": "string"
            },
            "adminPassword": {
              "type": "securestring"
            },
            "location": {
              "type": "string"
            }
          },
          "variables": {
            "sqlServerName": "[concat('sql-', uniqueString(resourceGroup().id, 'sql'))]"
          },
          "resources": [
            {
              "type": "Microsoft.Sql/servers",
              "apiVersion": "2018-06-01-preview",
              "name": "[variables('sqlServerName')]",
              "location": "[parameters('location')]",
              "properties": {
                "administratorLogin": "[parameters('adminLogin')]",
                "administratorLoginPassword": "[parameters('adminPassword')]"
              }
            }
          ],
          "outputs": {
            "sqlFQDN": {
              "type": "string",
              "value": "[reference(variables('sqlServerName')).fullyQualifiedDomainName]"
            }
          }
        },
        "parameters": {
          "location": {
            "value": "[parameters('location')]"
          },
          "adminLogin": {
            "value": "ghuser"
          },
          "adminPassword": {
            "reference": {
              "keyVault": {
                "id": "[resourceId(parameters('vaultSubscription'), parameters('vaultResourceGroupName'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
              },
              "secretName": "[parameters('secretName')]"
            }
          }
        }
      }
    }
  ],
  "outputs": {
  }
}

后续步骤Next steps

已将 Key Vault 配置为在部署托管应用程序期间可访问。You've configured your Key Vault to be accessible during deployment of a Managed Application.