部署期间如何使用 Azure Key Vault 传递安全参数值?
Posted
技术标签:
【中文标题】部署期间如何使用 Azure Key Vault 传递安全参数值?【英文标题】:How to use Azure Key Vault to pass secure parameter value during deployment? 【发布时间】:2020-10-02 10:28:46 【问题描述】:我有一个用于在 Azure 管道中部署 Service Fabric 集群的 ARM 模板:
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'Deploy SF cluster'
inputs:
deploymentScope: 'Resource Group'
subscriptionId: '$ parameters.SubscriptionId '
azureResourceManagerConnection: '$ parameters.ArmConnection '
action: 'Create Or Update Resource Group'
resourceGroupName: '$ parameters.ResourceGroupName '
location: 'West Europe'
templateLocation: 'Linked artifact'
csmFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster.json'
csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster-params.json'
overrideParameters: '-certificateThumbprint $(Thumbprint) -sourceVaultResourceId $(KeyvaultId) -certificateUrlValue $(SecretId)'
deploymentMode: 'Incremental'
当我使用 ARM 模板时(因为在 5 个不同的管道中使用了很多天):
"osProfile":
"adminUsername": "RdpUsername",
"adminPassword": "RdpPassword",
"computernamePrefix": "[variables('vmNodeType0Name')]",
"secrets": [
"sourceVault":
"id": "[parameters('sourceVaultResourceId')]"
,
"vaultCertificates": [
"certificateStore": "My",
"certificateUrl": "[parameters('certificateUrlValue')]"
]
]
,
然而,拥有硬编码的 RDP 凭据是一个安全问题,所以我想Use Azure Key Vault to pass secure parameter value during deployment
所以我将 2 个随机秘密字符串添加到 Keyvault,它在管道中较早部署,然后尝试:
"osProfile":
"adminUsername":
"reference":
"keyVault":
"id": "[parameters('sourceVaultResourceId')]"
,
"secretName": "RdpUsername"
,
"adminPassword":
"reference":
"keyVault":
"id": "[parameters('sourceVaultResourceId')]"
,
"secretName": "RdpPassword"
,
"computernamePrefix": "[variables('vmNodeType0Name')]",
"secrets": [
"sourceVault":
"id": "[parameters('sourceVaultResourceId')]"
,
"vaultCertificates": [
"certificateStore": "My",
"certificateUrl": "[parameters('certificateUrlValue')]"
]
]
,
不幸的是,这会产生错误:
解析值时遇到意外字符:。路径“properties.virtualMachineProfile.osProfile.adminUsername”,第 1 行,位置 3178。
我的问题是:为什么括号 出乎意料?
我的 ARM 模板基于 azure-quickstart-templates/service-fabric-secure-cluster-5-node-1-nodetype 并且如上所述使用硬编码值。
更新:
这是我的 sfcluster-params.json(但也请注意下面列出的管道任务中的 overrideParameters 并填充了 Keyvault 部署设置的管道变量):
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters":
"clusterName":
"value": "sfcluster"
我的 Azure 管道的更大部分在这里:
# deploy KeyVault by ARM template and output VinHashKey and SF Cluster certificate thumbsprint
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'Deploy Keyvault'
inputs:
deploymentScope: 'Resource Group'
subscriptionId: '$ parameters.SubscriptionId '
azureResourceManagerConnection: '$ parameters.ArmConnection '
action: 'Create Or Update Resource Group'
resourceGroupName: '$ parameters.ResourceGroupName '
location: 'West Europe'
templateLocation: 'Linked artifact'
csmFile: '$(Build.SourcesDirectory)/pipelines/templates/keyvault.json'
csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/keyvault-params.json'
deploymentMode: 'Incremental'
# collect outputs from the above ARM task and put them into pipeline vars
- task: ARM Outputs@5
displayName: 'Collect Keyvault output'
inputs:
ConnectedServiceNameSelector: 'ConnectedServiceNameARM'
ConnectedServiceNameARM: '$ parameters.ArmConnection '
resourceGroupName: '$ parameters.ResourceGroupName '
whenLastDeploymentIsFailed: 'fail'
# import the certificate my-self-signed-cert into the Keyvault if it is missing there
- task: AzurePowerShell@5
displayName: 'Import certificate'
inputs:
azureSubscription: '$ parameters.ArmConnection '
ScriptType: 'InlineScript'
azurePowerShellVersion: '3.1.0'
Inline: |
$Cert = Get-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert
if (!$Cert)
$Pwd = ConvertTo-SecureString -String MyPassword -Force -AsPlainText
$Base64 = 'MII....gfQ'
$Cert = Import-AzKeyVaultCertificate -VaultName $(KeyVaultName) -Name my-self-signed-cert -CertificateString $Base64 -Password $Pwd
# set the pipeline variables Thumbprint and SecretId - needed for SF deployment
echo "##vso[task.setvariable variable=Thumbprint]$($Cert.Thumbprint)"
echo "##vso[task.setvariable variable=SecretId]$($Cert.SecretId)"
# deploy SF cluster by ARM template and use the SF certificate thumbsprint as admin cert
- task: AzureResourceManagerTemplateDeployment@3
displayName: 'Deploy SF cluster'
inputs:
deploymentScope: 'Resource Group'
subscriptionId: '$ parameters.SubscriptionId '
azureResourceManagerConnection: '$ parameters.ArmConnection '
action: 'Create Or Update Resource Group'
resourceGroupName: '$ parameters.ResourceGroupName '
location: 'West Europe'
templateLocation: 'Linked artifact'
csmFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster.json'
csmParametersFile: '$(Build.SourcesDirectory)/pipelines/templates/sfcluster-params.json'
overrideParameters: '-certificateThumbprint $(Thumbprint) -sourceVaultResourceId $(KeyvaultId) -certificateUrlValue $(SecretId)'
deploymentMode: 'Incremental'
最后,这里是sfcluster.json - 它太大了,不能放在 *** 上。
【问题讨论】:
【参考方案1】:keyVault 引用只能用作参数值 - 因此在参数文件或部署的参数属性中。您不能直接将其用作资源的属性值。
【讨论】:
但我使用它作为参数 - 使用parameters('sourceVaultResourceId')。您能否解释一下我的情况以及如何解决?我应该改用concat(...) 吗?
可以分享更多的模板/参数文件吗?是原始的还是会重现您的问题的东西?
好的,就是这样:gist.github.com/afarber/… - 您不能仅在参数文件(或嵌套部署)中使用模板中的引用属性。如果您想使用动态 resourceId 确实会变得很棘手,那么您必须将部署嵌套在您想要使用它的位置:docs.microsoft.com/en-us/azure/azure-resource-manager/templates/…以上是关于部署期间如何使用 Azure Key Vault 传递安全参数值?的主要内容,如果未能解决你的问题,请参考以下文章
Azure RM 模板。使用 Key Vault 密码部署副本 VM
如何在函数应用中引用 Azure Key Vault 中的密钥?
通过 ARM 模板部署 Azure ML MSI 可在 Key Vault 上启用清除保护
Azure Key Vault 使用Azure Portal创建和查看Azure Key Vault