我正在尝试将批处理帐户(在用户订阅模式下)配置添加到 ARM 脚本,但遇到循环依赖问题。
- 批量帐户需要 KeyVaultReference。
- key 保管库访问政策 需要 BatchAccount 对象 ID。
在这种情况下,我无法创建完全配置的服务。您知道如何从同一个 ARM 脚本创建这两种服务吗?
请参阅下面的示例:
{
"name": "[variables('keyVaultName')]",
"type": "Microsoft.KeyVault/vaults",
"location": "[resourceGroup().location]",
"apiVersion": "2015-06-01",
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]",
"permissions": {
"keys": [
"Update"
]
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]"
]
},
{
"name": "[variables('batchAccountName')]",
"type": "Microsoft.Batch/batchAccounts",
"location": "[resourceGroup().location]",
"apiVersion": "2017-05-01",
"properties": {
"poolAllocationMode": "UserSubscription",
"autoStorage": {
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]"
},
"keyVaultReference": {
"id": "[concat(subscription().id, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'))]",
"url": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]",
"[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]"
]
}
最佳答案
Key Vault access policies require BatchAccount object id.
对象 ID 与批量帐户无关。对象 ID 是您设置的可以访问 Key Vault 的用户的对象 ID。用户可以是 Azure AD 帐户、Microsoft 帐户或服务主体。对于 Azure AD 帐户,您可以使用 PowerShell cmdlet Get-AzureRmADUser 获取 ID。这个blog也许有帮助。
Batch account requires KeyVaultReference.
正如您所做的那样,您可以在创建批处理帐户时添加依赖于 key 保管库。以下模板适合我。
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"defaultValue": "eastus",
"type": "string"
},
"batchAccountName": {
"defaultValue": "shui568",
"type": "string"
},
"storageAccountName": {
"defaultValue": "shui41f",
"type": "string"
},
"storageAccountType": {
"defaultValue": "Standard_LRS",
"type": "string"
},
"vaults_shuibatch_name": {
"defaultValue": "shui225",
"type": "String"
}
},
"variables": {},
"resources": [
{
"name": "[parameters('batchAccountName')]",
"type": "Microsoft.Batch/batchAccounts",
"apiVersion": "2017-05-01",
"location": "[parameters('location')]",
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]",
"[concat('Microsoft.KeyVault/vaults/', parameters('vaults_shuibatch_name'))]"
],
"properties": {
"poolAllocationMode": "usersubscription",
"KeyVaultReference": {
"id": "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_shuibatch_name'))]",
"url": "[concat('https://',parameters('vaults_shuibatch_name'),'.vault.azure.net/')]"
},
"autoStorage": {
"storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
}
}
},
{
"name": "[parameters('storageAccountName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2015-06-15",
"location": "[parameters('location')]",
"properties": {
"accountType": "[parameters('storageAccountType')]"
}
},
{
"comments": "Generalized from resource: '/subscriptions/***************/resourceGroups/shuibatch/providers/Microsoft.KeyVault/vaults/shuibatch'.",
"type": "Microsoft.KeyVault/vaults",
"name": "[parameters('vaults_shuibatch_name')]",
"apiVersion": "2015-06-01",
"location": "eastus",
"tags": {},
"scale": null,
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "[subscription().tenantId]",
"accessPolicies": [
{
"tenantId": "[subscription().tenantId]",
"objectId": "3ff89f78-2a60-4fef-8ee5-c249d03549d1",
"permissions": {
"secrets": [
"All"
]
}
}
],
"enabledForDeployment": true
},
"dependsOn": []
}
]
}
关于azure - 在单个 ARM 脚本中创建批量帐户和 Key Vault,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46039205/