教程:使用 Linux VM 系统分配的托管标识访问 Azure Key VaultTutorial: Use a Linux VM system-assigned managed identity to access Azure Key Vault

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

本教程介绍 Linux 虚拟机 (VM) 如何使用系统分配的托管标识来访问 Azure Key VaultThis tutorial shows you how a Linux virtual machine (VM) can use a system-assigned managed identity to access Azure Key Vault. 作为引导,Key Vault 随后可让客户端应用程序使用机密访问未受 Azure Active Directory (AD) 保护的资源。Serving as a bootstrap, Key Vault makes it possible for your client application to then use a secret to access resources not secured by Azure Active Directory (AD). 托管服务标识由 Azure 自动管理,可用于向支持 Azure AD 身份验证的服务进行身份验证,这样就无需在代码中包含身份验证信息了。Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication, without including authentication information in your code.

学习如何:You learn how to:

  • 授予 VM 对 Key Vault 中存储的密钥的访问权限Grant your VM access to a secret stored in a Key Vault
  • 使用 VM 标识获取访问令牌,并使用它来检索 Key Vault 中的密钥Get an access token using the VM's identity and use it to retrieve the secret from the Key Vault

先决条件Prerequisites

创建密钥保管库Create a Key Vault

本部分说明如何授予 VM 访问密钥保管库中存储的密钥的权限。This section shows how to grant your VM access to a secret stored in a Key Vault. 使用 Azure 资源的托管标识,代码可以获取访问令牌,对支持 Azure AD 身份验证的资源进行身份验证。Using managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication.但是,并非所有 Azure 服务都支持 Azure AD 身份验证。  However, not all Azure services support Azure AD authentication. 若要将 Azure 资源的托管标识用于这些服务,请将服务凭据存储在 Azure Key Vault 中,然后使用 VM 的托管标识访问 Key Vault 以检索凭据。To use managed identities for Azure resources with those services, store the service credentials in Azure Key Vault, and use the VM's managed identity to access Key Vault to retrieve the credentials.

首先,我们需要创建一个 Key Vault 并授予 VM 的系统分配托管标识对 Key Vault 的访问权限。First, we need to create a Key Vault and grant our VM’s system-assigned managed identity access to the Key Vault.

  1. 打开 Azure 门户Open the Azure portal

  2. 在左侧导航栏的顶部,选择“创建资源”At the top of the left navigation bar, select Create a resource

  3. 在“搜索市场”框中,键入“Key Vault”,然后按 Enter 。In the Search the Marketplace box type in Key Vault and hit Enter.

  4. 从结果中选择“Key Vault”。Select Key Vault from the results.

  5. 选择“创建”Select Create

  6. 为新 Key Vault 提供一个名称。Provide a Name for the new Key Vault.

    “创建密钥保管库”屏幕

  7. 填写所有必填信息,以确保选择在其中创建了本教程所用虚拟机的订阅和资源组。Fill out all required information making sure that you choose the subscription and resource group where you created the virtual machine that you are using for this tutorial.

  8. 选择“查看 + 创建”Select Review+ create

  9. 选择“创建”Select Create

创建机密Create a secret

接下来,将机密添加到 Key Vault,以便稍后可以使用在 VM 中运行的代码检索此机密。Next, add a secret to the Key Vault, so you can retrieve it later using code running in your VM. 本教程使用的是 PowerShell,但相同的概念适用于在此虚拟机中执行的任何代码。For the purpose of this tutorial, we are using PowerShell but the same concepts apply to any code executing in this virtual machine.

  1. 导航到新创建的密钥保管库。Navigate to your newly created Key Vault.

  2. 选择“密钥”,然后单击“添加”。Select Secrets, and click Add.

  3. 选择“生成/导入”Select Generate/Import

  4. 在“创建机密”屏幕的“上传选项”中,将“手动”保留为选中状态 。In the Create a secret screen from Upload options leave Manual selected.

  5. 输入密钥的名称和值。Enter a name and value for the secret. 该值可以是任何需要的内容。The value can be anything you want.

  6. 明确指定激活日期和到期日期,并将“已启用”设置为“是”。Leave the activation date and expiration date clear, and leave Enabled as Yes.

  7. 单击“创建”以创建密钥。Click Create to create the secret.

    创建机密

授予访问权限Grant access

需要对虚拟机使用的托管标识授予访问权限,以便读取将存储在密钥保管库中的机密。The managed identity used by the virtual machine needs to be granted access to read the secret that we will store in the Key Vault.

  1. 导航到新创建的密钥保管库Navigate to your newly created Key Vault

  2. 在左侧菜单中选择“访问策略”。Select Access Policy from the menu on the left side.

  3. 选择“添加访问策略”Select Add Access Policy

    “密钥保管库创建访问策略”屏幕

  4. 在“从模板配置(可选)”下的“添加访问策略”部分的下拉菜单中选择“机密管理” 。In the Add access policy section under Configure from template (optional) choose Secret Management from the pull-down menu.

  5. 选择“选择主体”,并在搜索字段中输入之前创建的 VM 的名称。Choose Select Principal, and in the search field enter the name of the VM you created earlier. 选择结果列表中的 VM,然后选择“选择”。Select the VM in the result list and choose Select.

  6. 选择“添加”Select Add

  7. 选择“保存”。Select Save.

访问数据Access data

若要完成这些步骤,需要使用 SSH 客户端。To complete these steps, you need an SSH client. 如果使用的是 Windows,可以在适用于 Linux 的 Windows 子系统中使用 SSH 客户端。If you are using Windows, you can use the SSH client in the Windows Subsystem for Linux. 如果需要有关配置 SSH 客户端密钥的帮助,请参阅如何在 Azure 上将 SSH 密钥与 Windows 配合使用如何创建和使用适用于 Azure 中 Linux VM 的 SSH 公钥和私钥对If you need assistance configuring your SSH client's keys, see How to Use SSH keys with Windows on Azure, or How to create and use an SSH public and private key pair for Linux VMs in Azure.

  1. 在门户中,转到 Linux VM,并单击“概述” 中的“连接” 。In the portal, navigate to your Linux VM and in the Overview, click Connect.

  2. 使用所选的 SSH 客户端连接 到 VM。Connect to the VM with the SSH client of your choice.

  3. 在终端窗口中,使用 CURL 向 Azure 资源终结点的本地托管标识发出请求,以获取 Azure Key Vault 的访问令牌。In the terminal window, using CURL, make a request to the local managed identities for Azure resources endpoint to get an access token for Azure Key Vault.

    下面是用于获取访问令牌的 CURL 请求。The CURL request for the access token is below.

    curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.cn' -H Metadata:true  
    

    响应包括访问资源管理器所需的访问令牌。The response includes the access token you need to access Resource Manager.

    响应:Response:

    {"access_token":"eyJ0eXAi...",
    "refresh_token":"",
    "expires_in":"3599",
    "expires_on":"1504130527",
    "not_before":"1504126627",
    "resource":"https://vault.azure.cn",
    "token_type":"Bearer"} 
    

    可以使用此访问令牌对 Azure Key Vault 进行身份验证。You can use this access token to authenticate to Azure Key Vault. 下一个 CURL 请求显示如何使用 CURL 和 Key Vault REST API 从 Key Vault 读取密钥。The next CURL request shows how to read a secret from Key Vault using CURL and the Key Vault REST API. 将需要 Key Vault 的 URL,该 URL 位于 Key Vault 的“概述”页的“软件包”部分。You’ll need the URL of your Key Vault, which is in the Essentials section of the Overview page of the Key Vault. 另外,还需要在前面的调用中获取的访问令牌。You will also need the access token you obtained on the previous call.

    curl 'https://<YOUR-KEY-VAULT-URL>/secrets/<secret-name>?api-version=2016-10-01' -H "Authorization: Bearer <ACCESS TOKEN>" 
    

    响应将如下所示:The response will look like this:

    {"value":"p@ssw0rd!","id":"https://mytestkeyvault.vault.azure.cn/secrets/MyTestSecret/7c2204c6093c4d859bc5b9eff8f29050","attributes":{"enabled":true,"created":1505088747,"updated":1505088747,"recoveryLevel":"Purgeable"}} 
    

在检索 Key Vault 中的密钥后,可以使用该密钥对需要名称和密码的服务进行身份验证。Once you’ve retrieved the secret from the Key Vault, you can use it to authenticate to a service that requires a name and password.

清理资源Clean up resources

需要清理资源时,请访问 Azure 门户,选择“资源组”,找到并选择在本教程中创建的资源组(例如 mi-test),然后使用“删除资源组”命令。When you want to clean up the resources, visit the Azure portal, select Resource groups, locate, and select the resource group that was created in the process of this tutorial (such as mi-test), and then use the Delete resource group command.

此外,也可以通过 PowerShell 或 CLI 执行此操作Alternatively you may also do this via PowerShell or the CLI

后续步骤Next steps

在本教程中,你已学习了如何使用 Linux VM 系统分配的托管标识来访问 Azure Key Vault。In this tutorial, you learned how to use a Linux VM system-assigned managed identity to access Azure Key Vault. 若要详细了解 Azure Key Vault,请参阅:To learn more about Azure Key Vault see: