1. 首頁
  2. 問答
  3. 在單個ARM腳本中創建批處理帳戶和密鑰庫

在單個ARM腳本中創建批處理帳戶和密鑰庫

2017-09-04 39 views
0

我試圖向ARM腳本添加一個批處理帳戶(在用戶訂閱模式下)配置,但我面臨着循環依賴問題。在單個ARM腳本中創建批處理帳戶和密鑰庫

  • 批量帳戶需要KeyVaultReference。
  • 密鑰保險庫訪問策略 需要BatchAccount對象ID。

在這種情況下,我無法創建完全配置的服務。你知道我該如何從同一個ARM腳本創建兩個服務?

請看下面的例子:

{ 
    "name": "[variables('keyVaultName')]", 
    "type": "Microsoft.KeyVault/vaults", 
    "location": "[resourceGroup().location]", 
    "apiVersion": "2015-06-01", 
    "properties": { 
    "sku": { 
     "family": "A", 
     "name": "Standard" 
    }, 
    "tenantId": "[subscription().tenantId]", 
    "accessPolicies": [ 
     { 
     "tenantId": "[subscription().tenantId]", 
     "objectId": "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]", 
     "permissions": { 
      "keys": [ 
      "Update" 
      ] 
     } 
     } 
    ] 
    }, 
    "dependsOn": [ 
    "[resourceId('Microsoft.Batch/batchAccounts', variables('batchAccountName'))]" 
    ] 
}, 
{ 
    "name": "[variables('batchAccountName')]", 
    "type": "Microsoft.Batch/batchAccounts", 
    "location": "[resourceGroup().location]", 
    "apiVersion": "2017-05-01", 
    "properties": { 
    "poolAllocationMode": "UserSubscription", 
    "autoStorage": { 
     "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]" 
    }, 
    "keyVaultReference": { 
     "id": "[concat(subscription().id, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.KeyVault/vaults/', variables('keyVaultName'))]", 
     "url": "[concat('https://', variables('keyVaultName'), '.vault.azure.net/')]" 
    } 
    }, 
    "dependsOn": [ 
    "[resourceId('Microsoft.Storage/storageAccounts', variables('batchAccountStorageAccountName'))]", 
    "[resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName'))]" 
    ] 
}

來源

2017-09-04 Pawel Maga

回答

1

重點Vault訪問策略需要BatchAccount對象ID。

對象標識與批量帳戶無關。對象ID是您設置的可以訪問密鑰庫的用戶對象ID。用戶可以是Azure AD帳戶,Microsoft帳戶或服務主體。對於Azure AD帳戶,您可以使用PowerShell cmdlet Get-AzureRmADUser獲取該ID。這blog也許有幫助。

批量帳戶需要KeyVaultReference。

正如您所做的那樣,您可以在創建批量帳戶時添加對密鑰庫的依賴。以下模板適用於我。

{ 
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 
    "contentVersion": "1.0.0.0", 
    "parameters": { 
     "location": { 
      "defaultValue": "eastus", 
      "type": "string" 
     }, 
     "batchAccountName": { 
      "defaultValue": "shui568", 
      "type": "string" 
     }, 
     "storageAccountName": { 
      "defaultValue": "shui41f", 
      "type": "string" 
     }, 
     "storageAccountType": { 
      "defaultValue": "Standard_LRS", 
      "type": "string" 
     }, 
     "vaults_shuibatch_name": { 
      "defaultValue": "shui225", 
      "type": "String" 
     } 
    }, 
    "variables": {}, 
    "resources": [ 
     { 
      "name": "[parameters('batchAccountName')]", 
      "type": "Microsoft.Batch/batchAccounts", 
      "apiVersion": "2017-05-01", 
      "location": "[parameters('location')]", 
      "dependsOn": [ 
       "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]", 
       "[concat('Microsoft.KeyVault/vaults/', parameters('vaults_shuibatch_name'))]" 
      ], 
      "properties": { 
       "poolAllocationMode": "usersubscription", 
       "KeyVaultReference": { 

        "id": "[resourceId('Microsoft.KeyVault/vaults', parameters('vaults_shuibatch_name'))]", 
        "url": "[concat('https://',parameters('vaults_shuibatch_name'),'.vault.azure.net/')]" 
       }, 
       "autoStorage": { 
        "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]" 
       } 
      } 
     }, 
     { 
      "name": "[parameters('storageAccountName')]", 
      "type": "Microsoft.Storage/storageAccounts", 
      "apiVersion": "2015-06-15", 
      "location": "[parameters('location')]", 
      "properties": { 
       "accountType": "[parameters('storageAccountType')]" 
      } 
     }, 
      { 
      "comments": "Generalized from resource: '/subscriptions/***************/resourceGroups/shuibatch/providers/Microsoft.KeyVault/vaults/shuibatch'.", 
      "type": "Microsoft.KeyVault/vaults", 
      "name": "[parameters('vaults_shuibatch_name')]", 
      "apiVersion": "2015-06-01", 
      "location": "eastus", 
      "tags": {}, 
      "scale": null, 
      "properties": { 
       "sku": { 
        "family": "A", 
        "name": "Standard" 
       }, 
       "tenantId": "[subscription().tenantId]", 
       "accessPolicies": [ 
        { 
         "tenantId": "[subscription().tenantId]", 
         "objectId": "3ff89f78-2a60-4fef-8ee5-c249d03549d1", 
         "permissions": { 
          "secrets": [ 
           "All" 
          ] 
         } 
        } 
       ], 
       "enabledForDeployment": true 
      }, 
      "dependsOn": [] 
     } 
    ] 
}

來源

2017-09-05 03:09:31

+0

如果我的理解是正確的,你想給用戶 '微軟Azure Batch'許可,您可以得到在Azure門戶網站的對象ID。 ''訂閱'' - >'訪問控制(IAM)' - >'Microsoft Azure Batch' - >'屬性'。 –

+0

它看起來不錯。我正在尋找一種方法,通過arm/ps(Azure訂閱步驟)將所有這些操作包含在自動化腳本中,但這是另一回事。謝謝! –

相關問題

 相關問題