I have extracted the ARM template belonging to the preview version of Azure App Configuration, and am setting it into our IaC repository - so far so good.
Our next logical step is to include insertion of the AppConfiguration.PrimaryKey into our Key Vault. However I do not know the name of this property, and I can not find any information on the subject online. Also I can not see the AppConfiguration/configurationStores type listed in resources.azure.com (assuming its because its still in public preview).
Does anyone know how to reference the primary key (and possibly the read-only primary key), so i can reference them through a "outputs" variable in my arm template?
Then I can let Az Cli/Az Powershell insert the secret into our Key Vault, and we obtain full automation of our IaC
I was not able to figure this out.
However by using az cli commands in a IaC script (which anyways invokes the arm template residing in a azure blob store) I circumvented the problem:
$connStrings = az appconfig credential list -n $configName| ConvertFrom-Json
$readOnlyConnString = ($connStrings | Where {$_.name -eq "Primary Read Only"}).connectionString
$primaryConnString = ($connStrings | Where {$_.name -eq "Primary"}).connectionString
#then
az keyvault secret set --vault-name $kvName --name $keyNameRO --value $readOnlyConnString
az keyvault secret set --vault-name $kvName --name $keyNamePrimary --value $primaryConnString
For an ARM template I did the following. The listkeys function returns a full list of all the values that have to do with the keys. This was hard to figure out. I hope it helps.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"configurationStores_instance_name": {
"defaultValue": "ac-instance",
"type": "String"
}
},
"variables": {
"apiVersionVar": "[providers('Microsoft.AppConfiguration', 'configurationStores').apiVersions[0]]",
"resourceId": "[resourceId('Microsoft.AppConfiguration/configurationStores', parameters('configurationStores_instance_name'))]",
},
"resources": [
{
"type": "Microsoft.AppConfiguration/configurationStores",
"apiVersion": "2019-10-01",
"name": "[parameters('configurationStores_instance_name')]",
"location": "northcentralus",
"sku": {
"name": "standard"
},
"properties": {}
}
],
"outputs": {
"AppConfigEndpoint": {
"type": "string",
"value": "[reference(parameters('configurationStores_instance_name')).endpoint]"
},
"AppConfigKeys": {
"type": "Array",
"value": "[listkeys(variables('resourceId'), variables('apiVersionVar')).value]"
}
}
}
hope this helps!
Related
I am referencing the below codes with command but getting error for both
az datafactory linked-service create --resource-group $resourcegroup --factory-name $factoryname --linked-service-name ls_AzureKeyVault_storage --properties #ls_AzureKeyVault_storage.json > \dev\null
{
"name": "ls_AzureKeyVault_storage",
"properties": {
"annotations": [],
"type": "AzureKeyVault",
"typeProperties": {
"baseUrl": "https://kvadfconnections.vault.azure.net/"
}
}
}
az datafactory linked-service create --resource-group $resourcegroup --factory-name $factoryname --linked-service-name AzureStorageLinkedService --properties #AzureStorageLinkedService.json > \dev\null
{
"name": "AzureStorageLinkedService",
"properties": {
"annotations": [],
"type": "AzureBlobStorage",
"typeProperties": {
"connectionString": {
"type": "AzureKeyVaultSecret",
"store": {
"referenceName": "ls_AzureKeyVault_storage",
"type": "LinkedServiceReference"
},
"secretName": "sec-stforadfcli-connection"
}
}
},
"type": "Microsoft.DataFactory/factories/linkedservices"
}
We have tested this in our local environment, Below statements are based on our analysis.
While creating the linked service through AzureCLI cmdlet using az data factory linked-service create ,you need to pass the json file to the --properties flag .
az datafactory linked-service create --factory-name
--linked-service-name
--properties
--resource-group
[--if-match]
If you declare the properties{} list on top of the typeproperties{} in your json file then while creating the linked service to the data factory it will fail with the error that you have shared as shown in the below
You Need pass only typeProperties in json file to create a linked service with the data factory as shown in the below.
In the below example ,we are trying to create a keyvault linked service with our existing ADF.
Here is our keyvault.json file which has type properties.
{
"type": "AzureKeyVault",
"typeProperties":{
"baseUrl": "<keyvault>"
},
"annotations":[<requiredannotations],
"description":"<requireddescription>",
"parameters": {
"test":{
"type":"String",
"defaultValue":"test"
}
}
}
Here is the sample output for reference :
You can use the above keyvault.json file as reference & make the changes as per your requirement.
You can also refer this documentation, for more information about what all the properties that we can pass to AzurekeyVaultLinkedService & there respective datatypes.
I want to create an Azure DevTest labs VM via pipeline process . However, when I start to deploy, it fails on the step "Create Azure DevTest Lab VM" and it seems to be caused by my key vault is missing. But after check my key vault, my secret is store in it and should be no problem with the permission.
Not sure the message "A secret store was not set up for the user." means, does it mean that there's a problem with the association between my account and the key vault? How can I verify this? Thanks.
Agent job: Create DevTest Labs VM
Win7entx64.json
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {
"newVMName": {
"defaultValue": "win7entx64",
"type": "String"
},
"labName": {
"defaultValue": "my_lab",
"type": "String"
},
"size": {
"defaultValue": "Standard_A3",
"type": "String"
},
"userName": {
"defaultValue": "trendkj",
"type": "String"
},
"password": {
"type": "securestring",
"defaultValue": "[[[VmPassword]]"
}
},
"variables": {
"labSubnetName": "[concat(variables('labVirtualNetworkName'), 'Subnet')]",
"labVirtualNetworkId": "[resourceId('Microsoft.DevTestLab/labs/virtualnetworks', parameters('labName'), variables('labVirtualNetworkName'))]",
"labVirtualNetworkName": "[concat('Dtl', parameters('labName'))]",
"vmId": "[resourceId ('Microsoft.DevTestLab/labs/virtualmachines', parameters('labName'), parameters('newVMName'))]",
"vmName": "[concat(parameters('labName'), '/', parameters('newVMName'))]"
},
"resources": [
{
"type": "Microsoft.DevTestLab/labs/virtualmachines",
"apiVersion": "2018-10-15-preview",
"name": "[variables('vmName')]",
"location": "westus",
"properties": {
"labVirtualNetworkId": "[variables('labVirtualNetworkId')]",
"notes": "Windows 7 Enterprise",
"galleryImageReference": {
"offer": "windows-7",
"publisher": "microsoftwindowsdesktop",
"sku": "win7-enterprise",
"osType": "Windows",
"version": "latest"
},
"size": "[parameters('size')]",
"userName": "[parameters('userName')]",
"password": "[parameters('password')]",
"isAuthenticationWithSshKey": false,
"labSubnetName": "[variables('labSubnetName')]",
"disallowPublicIpAddress": true,
"storageType": "Standard",
"allowClaim": false
}
}
],
"outputs": {
"labVMId": {
"type": "String",
"value": "[variables('vmId')]"
}
}
}
My secret in the Key Vault:
My Access Policy in the Key Vault
According to your reference to key valut in arm template "defaultValue": "[[[VmPassword]]", you should use the secret saved in DevTest Lab. Page as shown below.
If you want to use the secret in the Key vault page as shown in the question, the reference in the arm template should be as follows:
"sqlAdministratorLoginPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/25abd97b-44a3-4092-8337-xxxx/resourceGroups/mykeyvault/providers/Microsoft.KeyVault/vaults/cmkvtest"
},
"secretName": "sqlpassword"
}
}
About this, please refer to "3.ADD KEY VAULT SECRETS TO YOU ARM TEMPLATES" part of this artifact.
It has been a time since this was posted.
I am facing the same issue. The secret that you are setting in the Devtest lab is only visible for the user creating it.
The api gets more insights abaot the secret. For getting the secret is the following:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DevTestLab/labs/{labName}/users/{userName}/secrets/{name}?api-version=2018-09-15
As you see there is also the username in the path.
So if you have UserA and UserB, UserA sets a secret in DTL lab, when UserB goes in My secrets it will not see the secret of UserA. He can even create a secret with the same name with a different value.
It is a shame that you can not have common secrets for all the users in a DevtestLab (maybe there is but i did not find it yet).
In other words you need to log in into the DTL with the user defined in the azure connection from Azure Devops and create the secret manually. Or create it from the pipeline under his context.
Reference:
https://learn.microsoft.com/en-us/rest/api/dtl/secrets/get
https://learn.microsoft.com/en-us/rest/api/dtl/secrets/create-or-update
Are you missing a ']'?
[[[VmPassword]] --> [[[VmPassword]]]
I am trying to create a Resource Group using the below ARM template.
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"parameters": {
"rgName": {
"type": "string"
},
"rgLocation": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2018-05-01",
"location": "[parameters('rgLocation')]",
"name": "[parameters('rgName')]",
"properties": {}
}
],
"outputs": {}
}
And the Parameter file is
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"rgName": {
"value": "sriram"
},
"rgLocation": {
"value": "southcentralus"
}
}
}
Is there any mistake in the above json files. Because am getting the following error.
Unable to load schema from 'https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json'. No schema request service available(768)
I ignored this error and tried running these templates in the Azure pipeline and got the following error.
"No HTTP resource was found that matches the request URI 'https://management.azure.com/subscriptions/****-****-*****-****/resourcegroups/<Rsource Group Name>/providers/Microsoft.Resources/resourceGroups/<new RG name>?api-version=2018-05-01'
Can anyone help me out? Thank you.
Your parameters file should use this https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json# as a schema reference.
The schema your parameter file are using does not has affect on the creation of resource groups. With the command and your original script
az deployment create --template-file tem.json --parameters #para.json --location southcentralus
I could create the new resource group:
The error you are facing just caused by you are trying to create a new resource group within a exists resource group. This does not allowed.
Here suggest you using Command line task to achieve what you want, by using the command I show you above.
az deployment create --template-file $(Build.SourcesDirectory)/{Template}.json --parameters #$(Build.SourcesDirectory)/{parameter}.json --location southcentralus
I've searched online and browsed the available powershell cmdlets to try and find a solution for this problem but have been unsuccessful. Essentially, I have a few Data Factory pipelines that copy/archive incoming files and will use a web http post component that will invoke a Logic App that connects to a Blob container and will delete the incoming file. The issue I'm facing is that we have several automation runbooks that will rest Blob access keys every X days. When the Blob keys get reset the Logic App will fail whenever this happens because the connection is manually created in the designer itself and I can't specify a connection string that could pull from the Keyvault, as an example. Inside of the {Logic App > API Connections > Edit API Connection} we can manually update the connection string/key but obviously for an automated process we should be able to do this programmatically.
Is there a powershell cmdlet or other method I'm not seeing that would allow me to update/edit the API Connections that get created when using and Blob component inside a Logic App?
Any insights is appreciated!
Once you've rotated your key in the storage account, you can use an ARM template to update your connection API. In this ARM template, the connection api is created referencing the storage account internally so you don't have to provide the key:
azuredeploy.json file:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"azureBlobConnectionAPIName": {
"type": "string",
"metadata": {
"description": "The name of the connection api to access the azure blob storage."
}
},
"storageAccountName": {
"type": "string",
"metadata": {
"description": "The Storage Account Name."
}
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Web/connections",
"name": "[parameters('azureBlobConnectionAPIName')]",
"apiVersion": "2016-06-01",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"displayName": "[parameters('azureBlobConnectionAPIName')]",
"parameterValues": {
"accountName": "[parameters('storageAccountName')]",
"accessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')),'2015-05-01-preview').key1]"
},
"api": {
"id": "[concat('subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azureblob')]"
}
},
"dependsOn": []
}
]
}
azuredeploy.parameters.json file:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"azureBlobConnectionAPIName": {
"value": "myblobConnectionApiName"
},
"storageAccountName": {
"value": "myStorageAccountName"
}
}
}
You can them execute the arm template like that:
Connect-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName <yourSubscriptionName>
New-AzureRmResourceGroupDeployment -Name "ExampleDeployment" -ResourceGroupName "MyResourceGroupName" `
-TemplateFile "D:\Azure\Templates\azuredeploy.json" `
-TemplateParameterFile "D:\Azure\Templates\azuredeploy.parameters.json"
to get started with ARM template and powerhsell, you cam have a look at this article:
Deploy resources with Resource Manager templates and Azure PowerShell
I am trying to create a master key vault, which will contain all certificates to authenticate as a certain user.
I have 2 service principals => One for my app, One for deployment.
The idea is that the deploy service principal gets access to the Key Vault and adds the certificate located there to the Store of the web applications.
I have created the service principal and I have given him all permissions on the key vault. Also I have enabled access secrets in ARM templates for that key vault.
Using powershell I am able to login as the Deploying SP and retrieving the secret (certificate).
However this does not work when deploying the ARM template with a reference to the key vault. I got the following error:
New-AzureRmResourceGroupDeployment : 11:16:44 - Resource Microsoft.Web/certificates 'test-certificate' failed with message '{
"Code": "BadRequest",
"Message": "The service does not have access to '/subscriptions/98f06e7e-1016-4088-843f-62690f3bb306/resourcegroups/rg-temp/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation.",
"Target": null,
"Details": [
{
"Message": "The service does not have access to '/subscriptions/xxxx/resourcegroups/xxx/providers/microsoft.keyvault/vaults/master-key-vault' Key
Vault. Please make sure that you have granted necessary permissions to the service to perform the request operation."
},
My ARM template looks like this:
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"[resourceId('rg-temp', 'Microsoft.KeyVault/vaults', 'master-key-vault')]",
"keyVaultSecretName":"kv-certificate-test",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
Is this a bug? Because I am able to retrieve the certificate using the Deploy SP with:
$key = Get-AzureKeyVaultSecret -VaultName "master-key-vault" -Name "testenvironmentcertificate"
This is my ARM template: (note, the Key vault lives in another resource group than the resources in the ARM template)
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type":"Microsoft.Web/certificates",
"name":"test-certificate",
"apiVersion":"2016-03-01",
"location":"[resourceGroup().location]",
"properties":{
"keyVaultId":"/subscriptions/xxx/resourceGroups/rg-temp/providers/Microsoft.KeyVault/vaults/xxx",
"keyVaultSecretName":"testcert",
"serverFarmId":"[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "wa-test1",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', 'asp-test')]"
],
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/asp-test')]": "Resource",
"displayName": "wa-test1"
},
"properties": {
"name": "wa-test1",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', 'asp-test')]"
}
},
{
"name": "asp-test",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"apiVersion": "2014-06-01",
"dependsOn": [],
"tags": {
"displayName": "appServicePlan"
},
"properties": {
"name": "asp-test",
"sku": "Free",
"workerSize": "Small",
"numberOfWorkers": 1
}
}
]
}
I believe you are missing a permission for a Resource Provider to access Key Vault, so the WebApp is using its own Resource Provider to do that, you need to grant that RP access to key vault:
Set-AzureRmKeyVaultAccessPolicy -VaultName KEYVAULTNAME -PermissionsToSecrets get `
-ServicePrincipalName abfa0a7c-a6b6-4736-8310-5855508787cd
Reference:
https://azure.github.io/AppService/2016/05/24/Deploying-Azure-Web-App-Certificate-through-Key-Vault.html
I tried all the answers but they didn't work. Here's what worked for me:
setting the access permissions for the two service principals on the key vault:
Read more here:
https://devsdaily.com/key-vault-failed-to-sync-the-certificate-the-service-does-not-have-access-to-key-vault/
I was not able to add the policies through the Set-AzureRmKeyVaultAccessPolicy command due to an error in the console.
I was however able to resolve the issue through the Azure Web Interface by opening the KeyVault Access Control(IAM) and adding Key Vault Reader and Key Vault Secrets User roles to Microsoft.Azure.Websites
I wrote the same answer here as well.