Set up Key Vault for virtual machines using Azure PowerShell
Applies to: ✔️ Linux VMs ✔️ Windows VMs ✔️ Flexible scale sets
Note
Azure has two different deployment models you can use to create and work with resources: Azure Resource Manager and classic. This article covers the use of the Resource Manager deployment model. We recommend the Resource Manager deployment model for new deployments instead of the classic deployment model.
In Azure Resource Manager stack, secrets/certificates are modeled as resources that are provided by the resource provider of Key Vault. To learn more about Key Vault, see What is Azure Key Vault?
Note
- In order for Key Vault to be used with Azure Resource Manager virtual machines, the EnabledForDeployment property on Key Vault must be set to true. You can do this in various clients.
- The Key Vault needs to be created in the same subscription and location as the Virtual Machine.
Use PowerShell to set up Key Vault
To create a key vault by using PowerShell, see Set and retrieve a secret from Azure Key Vault using PowerShell.
For new key vaults, you can use this PowerShell cmdlet:
New-AzKeyVault -VaultName 'ContosoKeyVault' -ResourceGroupName 'ContosoResourceGroup' -Location 'China East' -EnabledForDeployment
For existing key vaults, you can use this PowerShell cmdlet:
Set-AzKeyVaultAccessPolicy -VaultName 'ContosoKeyVault' -EnabledForDeployment
Use CLI to set up Key Vault
To create a key vault by using the command-line interface (CLI), see Manage Key Vault using CLI.
For CLI, you have to create the key vault before you assign the deployment policy. You can do this by using the following command:
az keyvault create --name "ContosoKeyVault" --resource-group "ContosoResourceGroup" --location "ChinaEast"
Then to enable Key Vault for use with template deployment, run the following command:
az keyvault update --name "ContosoKeyVault" --resource-group "ContosoResourceGroup" --enabled-for-deployment "true"
Use templates to set up Key Vault
While you use a template, you need to set the enabledForDeployment
property to true
for the Key Vault resource.
{
"type": "Microsoft.KeyVault/vaults",
"name": "ContosoKeyVault",
"apiVersion": "2015-06-01",
"location": "<location-of-key-vault>",
"properties": {
"enabledForDeployment": "true",
....
....
}
}
For other options that you can configure when you create a key vault by using templates, see Create a key vault.
Note
Templates you downloaded or referenced from the GitHub Repo "azure-quickstart-templates" must be modified in order to fit in the Microsoft Azure operated by 21Vianet Environment. For example, replace some endpoints -- "blob.core.windows.net" by "blob.core.chinacloudapi.cn", "cloudapp.azure.com" by "chinacloudapp.cn"; change some unsupported Location,VM images, VM sizes, SKU and resource-provider's API Version when necessary.