我在這里有一些關于實作邏輯的巨大障礙。
我正在與二頭肌合作創建這些資源。
- 存盤帳戶
- 密鑰保管庫
- 將存盤帳戶連接字串傳遞給 Key Vault 機密
- 在 Key Vault 中創建一個密鑰并使用該密鑰加密存盤帳戶。
前三步完成。如果我宣告 2 個存盤帳戶,它將自動創建 2 個秘密連接字串和 2 個密鑰。它們匹配的所有配對(存盤名稱和連接字串)。
現在我面臨的問題如下,首先,這是我的代碼。
param tenantCode array = [
'dsec'
'sdre'
]
var storageName = [for item in tenantCode :{
name: string('sthrideveur${item}')
}]
var connectionStringSecretName = [for connection in storageName :{
name: '${connection.name}'
}]
output connectionStringSecretName array= [for connection in storageName :{
name: '${connection.name}'
}]
resource storage_Accounts 'Microsoft.Storage/storageAccounts@2021-06-01' = [ for name in storageName :{
name: '${name.name}'
location: 'westeurope'
sku: {
name: 'Standard_RAGRS'
}
kind: 'StorageV2'
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
keySource: 'Microsoft.Storage'
keyvaultproperties: {
keyname: '${tenantKey[0]}'
keyvaulturi: keyVault.id
}
}
accessTier: 'Cool'
}
}]
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
name : 'XXX'
}
// Store the connection string in KV if specified
resource storageAccountConnectionString 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = [for name in storageName :{
name: '${keyVault.name}/${name.name}'
properties: {
value: 'DefaultEndpointsProtocol=https;AccountName=${storage_Accounts[0].name};AccountKey=${listKeys('${storage_Accounts[0].id}', '${storage_Accounts[0].apiVersion}').keys[0].value};EndpointSuffix=${environment().suffixes.storage}'
}
}]
resource tenantKey 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = [for tenant in tenantCode : {
name: '${keyVault.name}/Client-Key-${tenant}'
properties: {
keySize: 2048
kty: 'RSA'
}
}]
我有 2 個要創建的存盤帳戶。和密鑰,包含存盤代碼。我想要做的并且我在實施時遇到問題的是如何將正確的密鑰與正確的存盤帳戶匹配。在這種特定情況下,我必須編碼如下:
dsec
sdre
bicep 腳本將創建 2 個存盤帳戶和相應命名的機密:
sthrideveurdsec
sthrideveursdre
AND 2 secrets with the same name
sthrideveurdsec
sthrideveursdre
AND 2 Keys named
Client-Key-dsec
Client-Key-sdre
我要做的是使用密鑰 DSEC 加密存盤帳戶 DSEC,使用密鑰 SDRE 加密存盤 SDRE。但是因為我是二頭肌的新手,所以我在實作這個時遇到了一些問題。
如果有人能幫助我了解如何實作這種正確的配對,我將不勝感激。
更新:在測驗 Thomas 解決方案后,這是我得到的錯誤:
{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"KeyVaultPolicyError\",\r\n \"message\": \"Keyvault policy recoverable is not set\"\r\n }\r\n}"},{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"KeyVaultPolicyError\",\r\n \"message\": \"Keyvault policy recoverable is not set\"\r\n }\r\n}"}]}}
uj5u.com熱心網友回復:
我假設密鑰保管庫已創建并使用訪問策略。
如果您想使用客戶管理的密鑰創建存盤,則存盤需要在創建之前訪問密鑰保管庫,因此我在示例中使用用戶分配的身份。
以下是步驟:
- 創建托管標識并授予密鑰保管庫的密鑰權限
- 在密鑰保管庫中創建兩個密鑰
- 創建存盤,分配托管身份并使用密鑰進行加密
// Default values I'm using to test
param keyVaultName string = 'kvthomastest'
param managedIdentityName string = 'mi-storage-encryption-thomas-test'
param tenantCodes array = [
'dsec'
'sdre'
]
// I'm using prefix so I dont need to create additional arrays
var keyVaultKeyPrefix = 'Client-Key-'
var storagePrefix = 'stthomastest'
// Get a reference to key vault
resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01-preview' existing = {
name: keyVaultName
}
// Create a managed identity
resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: managedIdentityName
location: resourceGroup().location
}
// Grant permissions to key vault
resource accessPolicy 'Microsoft.KeyVault/vaults/accessPolicies@2019-09-01' = {
name: '${keyVault.name}/add'
properties: {
accessPolicies: [
{
tenantId: subscription().tenantId
objectId: managedIdentity.properties.principalId
permissions: {
// minimum required permissions
keys: [
'get'
'unwrapKey'
'wrapKey'
]
}
}
]
}
}
// Create key vault keys
resource keyVaultKeys 'Microsoft.KeyVault/vaults/keys@2021-06-01-preview' = [for tenantCode in tenantCodes: {
name: '${keyVault.name}/${keyVaultKeyPrefix}${tenantCode}'
properties: {
keySize: 2048
kty: 'RSA'
// storage key should only needs these operations
keyOps: [
'unwrapKey'
'wrapKey'
]
}
}]
// Create storage accounts
resource storageAccount 'Microsoft.Storage/storageAccounts@2021-04-01' = [for tenantCode in tenantCodes: {
name: '${storagePrefix}${tenantCode}'
location: resourceGroup().location
kind: 'StorageV2'
sku: {
name: 'Standard_RAGRS'
}
// Assign the identity
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentity.id}': {}
}
}
properties: {
allowCrossTenantReplication: true
minimumTlsVersion: 'TLS1_2'
allowBlobPublicAccess: false
allowSharedKeyAccess: true
networkAcls: {
bypass: 'AzureServices'
virtualNetworkRules: []
ipRules: []
defaultAction: 'Allow'
}
supportsHttpsTrafficOnly: true
encryption: {
identity: {
// specify which identity to use
userAssignedIdentity: managedIdentity.id
}
keySource: 'Microsoft.Keyvault'
keyvaultproperties: {
keyname: '${keyVaultKeyPrefix}${tenantCode}'
keyvaulturi: keyVault.properties.vaultUri
}
services: {
file: {
keyType: 'Account'
enabled: true
}
blob: {
keyType: 'Account'
enabled: true
}
}
}
accessTier: 'Cool'
}
}]
轉載請註明出處,本文鏈接:https://www.uj5u.com/qukuanlian/334198.html
標籤:天蓝色 天蓝色资源管理器 天蓝色存储帐户 天蓝色二头肌