Azure logic apps 如何为具有托管标识的逻辑应用程序创建到Azure KeyVaul的Api连接
场景Azure logic apps 如何为具有托管标识的逻辑应用程序创建到Azure KeyVaul的Api连接,azure-logic-apps,azure-resource-manager,azure-keyvault,azure-managed-identity,Azure Logic Apps,Azure Resource Manager,Azure Keyvault,Azure Managed Identity,场景 { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", "name": "[variables('KeyVault_Connection_Name')]", "location": "[variables('location')]",
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('KeyVault_Connection_Name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"api": {
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
},
"parameterValues": {
"vaultName": "[variables('keyVaultName')]"
},
"displayName": "[variables('KeyVault_Display_Connection_Name')]"
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[variables('logicAppName')]",
"location": "[variables('location')]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/Connections', variables('KeyVault_Connection_Name'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {schedule trigger},
"actions": {get secret, send HTTP},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"keyvault": {
"connectionId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Web/connections/', variables('KeyVault_Connection_Name'))]",
"connectionName": "[variables('KeyVault_Display_Connection_Name')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'),'/managedApis/keyvault')]"
}
}
}
}
}
}
您好,我想创建一个逻辑应用程序
,它从Azure KeyVault
获取机密,并使用vault的机密向API发送经过身份验证的请求
问题
我收到:工作流连接参数“keyvault”无效。API连接“keyvault”未配置为支持托管标识。
在我的ARM部署期间。如何使用ARM模板中的托管标识创建Microsoft.Web/Connections
。文档中没有关于它的信息:
repro
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('KeyVault_Connection_Name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"api": {
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
},
"parameterValues": {
"vaultName": "[variables('keyVaultName')]"
},
"displayName": "[variables('KeyVault_Display_Connection_Name')]"
}
},
{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "[variables('logicAppName')]",
"location": "[variables('location')]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[resourceId('Microsoft.Web/Connections', variables('KeyVault_Connection_Name'))]"
],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {schedule trigger},
"actions": {get secret, send HTTP},
"outputs": {}
},
"parameters": {
"$connections": {
"value": {
"keyvault": {
"connectionId": "[concat('/subscriptions/', variables('subscriptionId'), '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Web/connections/', variables('KeyVault_Connection_Name'))]",
"connectionName": "[variables('KeyVault_Display_Connection_Name')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'),'/managedApis/keyvault')]"
}
}
}
}
}
}
尝试过
我添加了parameterValueType
,其值替代了Microsoft.Web/connections
。还必须删除parameterValue,因为它会导致错误
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('KeyVault_Connection_Name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"api": {
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
},
"parameterValueType": "Alternative",
"displayName": "[variables('KeyVault_Display_Connection_Name')]"
}
},
现在,当获取机密时,我在运行时收到错误:
{
"status": 400,
"message": "The connection does not contain a vault name. Please edit the connection and enter a valid key vault name.",
"error": {
"message": "The connection does not contain a vault name. Please edit the connection and enter a valid key vault name."
},
"source": "keyvault-we.azconn-we.p.azurewebsites.net"
}
我还尝试将vaultName
添加到customParameterValues
中,但没有任何帮助。与参数值类型一起使用的还有:“可选”
,您还需要在可选参数值
中指定要访问的密钥库名称,如下所示
该示例适用于我,joykeyvault123
是我的keyvualt名称
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('KeyVault_Connection_Name')]",
"location": "[variables('location')]",
"kind": "V1",
"properties": {
"api": {
"id": "[concat('/subscriptions/', variables('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/', 'keyvault')]"
},
"parameterValueType": "Alternative",
"alternativeParameterValues": {
"vaultName": "joykeyvault123"
},
"displayName": "[variables('KeyVault_Display_Connection_Name')]"
}
},
你怎么知道的?当我将connecion或logic应用程序导出到ARM时,没有这样的属性。@zolty13那么它对您有用吗?如果不是,那就没什么意思了。;-)@zolty13如果您指的是Api连接->导出模板,您可以在门户->
JSON视图的连接中找到它。不,没有这样的字段id json模板。此功能(MSI用于逻辑应用程序操作)正在预览中,因此它可能是key@zolty13不,我不是那个意思,请检查上面评论中的图片。