在 Azure 容器实例中装载机密卷Mount a secret volume in Azure Container Instances

可以使用机密卷向容器组中的容器提供敏感信息。Use a secret volume to supply sensitive information to the containers in a container group. 机密卷将机密存储在该卷内的文件中,然后容器组中的容器可以访问这些机密。The secret volume stores your secrets in files within the volume, accessible by the containers in the container group. 将机密存储在机密卷中,可以避免将敏感数据(例如,SSH 密钥或数据库凭据)添加到应用程序代码中。By storing secrets in a secret volume, you can avoid adding sensitive data like SSH keys or database credentials to your application code.

  • 与机密一起部署到容器组中后,机密卷将为只读。Once deployed with secrets in a container group, a secret volume is read-only.
  • 所有机密卷均由 RAM 支持的文件系统 tmpfs 提供支持;其内容永远不会写入非易失性存储。All secret volumes are backed by tmpfs, a RAM-backed filesystem; their contents are never written to non-volatile storage.

备注

机密卷目前仅限于 Linux 容器。Secret volumes are currently restricted to Linux containers. 设置环境变量中了解如何为 Linux 容器传递安全环境变量。Learn how to pass secure environment variables for Linux containers in Set environment variables.

装载机密卷 - Azure CLIMount secret volume - Azure CLI

若要使用 Azure CLI 部署包含一个或多个机密的容器,请在 az container create 命令中包含 --secrets--secrets-mount-path 参数。To deploy a container with one or more secrets by using the Azure CLI, include the --secrets and --secrets-mount-path parameters in the az container create command. 此示例在 /mnt/secrets 处装载一个机密卷,该卷由两个包含机密“mysecret1”和“mysecret2”的文件组成:This example mounts a secret volume consisting of two files containing secrets, "mysecret1" and "mysecret2," at /mnt/secrets:

az container create \
    --resource-group myResourceGroup \
    --name secret-volume-demo \
    --image mcr.microsoft.com/azuredocs/aci-helloworld \
    --secrets mysecret1="My first secret FOO" mysecret2="My second secret BAR" \
    --secrets-mount-path /mnt/secrets

以下 az container exec 输出演示在运行的容器中打开 shell,列出机密卷中的文件,然后显示其内容:The following az container exec output shows opening a shell in the running container, listing the files within the secret volume, then displaying their contents:

az container exec \
  --resource-group myResourceGroup \
  --name secret-volume-demo --exec-command "/bin/sh"
/usr/src/app # ls /mnt/secrets
mysecret1
mysecret2
/usr/src/app # cat /mnt/secrets/mysecret1
My first secret FOO
/usr/src/app # cat /mnt/secrets/mysecret2
My second secret BAR
/usr/src/app # exit
Bye.

装载机密卷 - YAMLMount secret volume - YAML

还可以使用 Azure CLI 和 YAML 模板部署容器组。You can also deploy container groups with the Azure CLI and a YAML template. 在部署由多个容器组成的容器组时,通过 YAML 模板进行部署是首选方法。Deploying by YAML template is the preferred method when deploying container groups consisting of multiple containers.

使用 YAML 模板进行部署时,模板中的机密值必须已进行 Base64 编码When you deploy with a YAML template, the secret values must be Base64-encoded in the template. 但是,机密值会以明文形式显示在容器的文件中。However, the secret values appear in plaintext within the files in the container.

以下 YAML 模板定义了一个容器组,其中包含一个容器,该容器在 /mnt/secrets 处装载了一个机密卷。The following YAML template defines a container group with one container that mounts a secret volume at /mnt/secrets. 机密卷有两个包含机密“mysecret1”和“mysecret2”的文件。The secret volume has two files containing secrets, "mysecret1" and "mysecret2."

apiVersion: '2018-10-01'
location: chinaeast2
name: secret-volume-demo
properties:
  containers:
  - name: aci-tutorial-app
    properties:
      environmentVariables: []
      image: mcr.microsoft.com/azuredocs/aci-helloworld:latest
      ports: []
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1.5
      volumeMounts:
      - mountPath: /mnt/secrets
        name: secretvolume1
  osType: Linux
  restartPolicy: Always
  volumes:
  - name: secretvolume1
    secret:
      mysecret1: TXkgZmlyc3Qgc2VjcmV0IEZPTwo=
      mysecret2: TXkgc2Vjb25kIHNlY3JldCBCQVIK
tags: {}
type: Microsoft.ContainerInstance/containerGroups

若要使用 YAML 模板进行部署,请将前面的 YAML 保存到名为 deploy-aci.yaml 的文件中,然后使用 --file 参数执行 az container create 命令:To deploy with the YAML template, save the preceding YAML to a file named deploy-aci.yaml, then execute the az container create command with the --file parameter:

# Deploy with YAML template
az container create \
  --resource-group myResourceGroup \
  --file deploy-aci.yaml

装载机密卷 - 资源管理器Mount secret volume - Resource Manager

除了 CLI 和 YAML 部署外,还可以使用 Azure 资源管理器模板部署容器组。In addition to CLI and YAML deployment, you can deploy a container group using an Azure Resource Manager template.

首先,在模板的容器组 properties 节中填充 volumes 数组。First, populate the volumes array in the container group properties section of the template. 使用资源管理器模板进行部署时,模板中的机密值必须已进行 Base64 编码When you deploy with a Resource Manager template, the secret values must be Base64-encoded in the template. 但是,机密值会以明文形式显示在容器的文件中。However, the secret values appear in plaintext within the files in the container.

接下来,针对容器组中希望装载机密卷的每个容器,在容器定义的 properties 节中填充 volumeMounts 数组。Next, for each container in the container group in which you'd like to mount the secret volume, populate the volumeMounts array in the properties section of the container definition.

以下资源管理器模板定义了一个容器组,其中包含一个容器,该容器在 /mnt/secrets 处装载了一个机密卷。The following Resource Manager template defines a container group with one container that mounts a secret volume at /mnt/secrets. 机密卷有两个机密:“mysecret1”和“mysecret2”。The secret volume has two secrets, "mysecret1" and "mysecret2."

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "variables": {
    "container1name": "aci-tutorial-app",
    "container1image": "microsoft/aci-helloworld:latest"
  },
  "resources": [
    {
      "name": "secret-volume-demo",
      "type": "Microsoft.ContainerInstance/containerGroups",
      "apiVersion": "2018-10-01",
      "location": "[resourceGroup().location]",
      "properties": {
        "containers": [
          {
            "name": "[variables('container1name')]",
            "properties": {
              "image": "[variables('container1image')]",
              "resources": {
                "requests": {
                  "cpu": 1,
                  "memoryInGb": 1.5
                }
              },
              "ports": [
                {
                  "port": 80
                }
              ],
              "volumeMounts": [
                {
                  "name": "secretvolume1",
                  "mountPath": "/mnt/secrets"
                }
              ]
            }
          }
        ],
        "osType": "Linux",
        "ipAddress": {
          "type": "Public",
          "ports": [
            {
              "protocol": "tcp",
              "port": "80"
            }
          ]
        },
        "volumes": [
          {
            "name": "secretvolume1",
            "secret": {
              "mysecret1": "TXkgZmlyc3Qgc2VjcmV0IEZPTwo=",
              "mysecret2": "TXkgc2Vjb25kIHNlY3JldCBCQVIK"
            }
          }
        ]
      }
    }
  ]
}

若要使用资源管理器模板进行部署,请将前面的 JSON 保存到名为 deploy-aci.json 的文件中,然后使用 --template-file 参数执行 az deployment group create 命令:To deploy with the Resource Manager template, save the preceding JSON to a file named deploy-aci.json, then execute the az deployment group create command with the --template-file parameter:

# Deploy with Resource Manager template
az deployment group create \
  --resource-group myResourceGroup \
  --template-file deploy-aci.json

后续步骤Next steps

Volumes

了解如何在 Azure 容器实例中装载其他卷类型:Learn how to mount other volume types in Azure Container Instances:

安全环境变量Secure environment variables

向容器(包括 Windows 容器)提供敏感信息的另一种方法是通过使用安全环境变量Another method for providing sensitive information to containers (including Windows containers) is through the use of secure environment variables.