教程:在资源管理器模板部署中集成 Azure Key VaultTutorial: Integrate Azure Key Vault in Resource Manager Template deployment

了解如何在资源管理器部署期间从 Azure Key Vault 检索机密,并将机密作为参数传递。Learn how to retrieve secrets from Azure Key Vault and pass the secrets as parameters during Resource Manager deployment. 值永远不会公开,因为仅引用其密钥保管库 ID。The value is never exposed because you only reference its key vault ID. 有关详细信息,请参阅在部署过程中使用 Azure Key Vault 传递安全参数值For more information, see Use Azure Key Vault to pass secure parameter value during deployment

设置资源部署顺序教程介绍如何创建虚拟机、虚拟网络以及其他一些依赖资源。In the Set resource deployment order tutorial, you create a virtual machine, a virtual network, and some other dependent resources. 在本教程中,我们将自定义模板,以便从 Key Vault 检索虚拟机管理员密码。In this tutorial, you customize the template to retrieve the virtual machine administrator password from a key vault.

资源管理器模板 Key Vault 集成关系图

本教程涵盖以下任务:This tutorial covers the following tasks:

  • 准备 Key VaultPrepare a key vault
  • 打开快速入门模板Open a QuickStart template
  • 编辑参数文件Edit the parameters file
  • 部署模板Deploy the template
  • 验证部署Validate the deployment
  • 清理资源Clean up resources

如果没有 Azure 订阅,请在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

若要完成本文,需要做好以下准备:To complete this article, you need:

准备 Key VaultPrepare a key vault

在本部分,我们将使用资源管理器模板创建 Key Vault 和机密。In this section, you use a Resource Manager template to create a key vault and a secret. 此模板:This template does:

  • 创建启用了 enabledForTemplateDeployment 属性的 Key Vault。Create a key vault with the enabledForTemplateDeployment property enables. 此属性必须为 true,这样,模板部署过程才能访问此 Key Vault 中定义的机密。This property must be true before the template deployment process can access the secrets defined in this key vault.
  • 将机密添加到 Key Vault。Add a secret to the key vault. 该机密存储虚拟机管理员密码。The secret stores the virtual machine administrator password.

如果你(要部署虚拟机模板的用户)不是 Key Vault 的所有者或参与者,则 Key Vault 的所有者或参与者必须向你授予对 Key Vault 的 Microsoft.KeyVault/vaults/deploy/action 访问权限。If you (as the user to deploy the virtual machine template) are not the owner or the contributor of the key vault, the Owner or a Contributor of the key vault must grant you the access to the Microsoft.KeyVault/vaults/deploy/action permission for the key vault. 有关详细信息,请参阅在部署过程中使用 Azure Key Vault 传递安全参数值For more information, see Use Azure Key Vault to pass secure parameter value during deployment

模板需要使用你的 Azure AD 用户对象 ID 来配置权限。Your Azure AD user object ID is needed by the template to configure permissions. 以下过程获取对象 ID (GUID)。The following procedure gets the object ID (GUID).

  1. 运行以下 Azure PowerShell 或 Azure CLI 命令。Run the following Azure PowerShell or Azure CLI command.

    echo "Enter your email address that is associated with your Azure subscription):" &&
    read upn &&
    az ad user show --upn-or-object-id $upn --query "objectId" &&
    
  2. 请记下对象 ID,Write down the object ID. 稍后在本教程中需要用到。You need it later in the tutorial.

创建 Key Vault:To create a key vault:

  1. 选择下图登录到 Azure 并打开一个模板。Select the following image to sign in to Azure and open a template. 该模板将创建 Key Vault 和机密。The template creates a key vault and a secret.

    deploy to azure

  2. 从左窗格选择“编辑模板”,在第 93 行中将 centralus 替换为 chinanorth,然后单击“保存”。Select Edit template from left pane, replace centralus as chinanorth on Line 93, then click Save. 资源管理器模板 Key Vault 集成部署门户Resource Manager template Key Vault integration deploy portal

  3. 选择或输入以下值。Select or enter the following values. 输入值后不要选择“创建”。Don't select Create after you enter the values.

    资源管理器模板 Key Vault 集成部署门户

    • “部署解决方案模板”部分。Deploy Solution Template section. |名称|值| | 订阅| 选择一个 Azure 订阅。| | 资源组| 分配一个唯一名称。|Name|Value| | Subscription| select an Azure subscription.| | Resource group| assign a unique name. 记下此名称,因为在下一个会话中将使用同一资源组来部署虚拟机。Write down this name, you use the same resource group to deploy the virtual machine in the next session. 将密钥保管库和虚拟机放在同一资源组中可以在本教程结束时更轻松地清理资源。| | 资源组位置| 选择一个位置。Placing both the Key Vault and the virtual machine in the same resource group makes it easier to clean up the resource at the end of the tutorial.| | Resource group Location| select a location. 默认位置为“中国北部”。|The default location is China North.|
    • 在“参数”部分选择“编辑参数”。Select Edit parameters and on Parameter section. |名称|值| |Key Vault 名称|分配唯一名称。| |租户 ID| 模板函数会自动检索租户 ID。不要更改默认值。| |AD 用户 ID| 输入你在上一过程中检索到的 Azure AD 用户对象 ID。| |机密名称| 默认名称为 vmAdminPassword|Name|Value| |Key Vault Name|assign a unique name.| |Tenant Id| the template function automatically retrieve your tenant id. Don't change the default value.| |Ad User Id| enter your Azure AD user object ID that you retrieved from the last procedure.| |Secret Name| The default name is vmAdminPassword. 如果你在此处更改机密名称,则在部署虚拟机时需要更新机密名称。| |机密值| 输入你的机密。If you change the secret name here, you need to update the secret name when you deploy the virtual machine.| |Secret Value| Enter your secret. 机密是用于登录虚拟机的密码。The secret is the password used to sign in to the virtual machine. 建议使用在上一过程中创建的生成密码。|It is recommended to use the generated password you created in the last procedure.|
  4. 选择左窗格中的“编辑模板”以查看模板。Select Edit Template from the left pane to take a look of the template.

  5. 浏览到模板 JSON 文件的第 28 行。Browse to line 28 of the template JSON file. 这是 Key Vault 资源的定义。This is the key vault resource definition.

  6. 浏览到第 35 行:Browse to line 35:

    "enabledForTemplateDeployment": true,
    

    enabledForTemplateDeployment 是 Key Vault 属性。enabledForTemplateDeployment is a Key Vault property. 此属性必须为 true,这样才能在部署期间从此 Key Vault 中检索机密。This property must be true before you can retrieve the secrets from this key vault during deployment.

  7. 浏览到第 89 行。Browse to line 89. 这是 Key Vault 机密的定义。This is the Key Vault secret definition.

  8. 选择页面底部的“放弃”。Select Discard from the bottom of the page. 未进行任何更改。You didn't make any changes.

  9. 从左窗格选择“法律条款”,在确认参数值后单击“创建”。Select Legal terms from the left pane, Click the Create after your confirm the parametes value.

    与法律条款对应的资源管理器模板 Key Vault

  10. 根据上面屏幕截图中所示检查是否已提供所有值,然后单击页面底部的“创建”。Verify you have provided all the values as shown in the previous screenshot, and then click Create at the bottom of the page.

  11. 选择页面顶部的铃铛图标(通知)打开“通知”窗格。Select the bell icon (notification) from the top of the page to open the Notifications pane. 等到出现资源已成功部署的消息。Wait until the resource is deployed successfully.

  12. 在“通知”窗格中选择“转到资源组”。Select Go to resource group from the Notifications pane.

  13. 选择 Key Vault 名称将其打开。Select the key vault name to open it.

  14. 在左窗格中选择“机密”。Select Secrets from the left pane. 此处应列出 vmAdminPasswordvmAdminPassword shall be listed there.

  15. 在左窗格中选择“访问策略”。Select Access policies from the left pane. 此时应会列出你的名称 (Active Directory),否则表示你无权访问 Key Vault。Your name (Active Directory) shall be listed, otherwise you don't have the permission to access the key vault.

  16. 选择“单击以显示高级访问策略”。Select Click to show advanced access policies. 注意“启用对 Azure 资源管理器的访问以进行模板部署”处于选中状态。Notice Enable access to Azure Resource Manager for template deployment is selected. 要正常进行 Key Vault 集成,也必须指定此设置。This setting is another condition to make the Key Vault integration to work.

    资源管理器模板 Key Vault 集成访问策略

  17. 在左窗格中选择“属性”。Select Properties from the left pane.

  18. 复制“资源 ID”。Make a copy of Resource ID. 部署虚拟机时需要此 ID。You need this ID when you deploy the virtual machine. 资源 ID 格式为:The Resource ID format is:

    /subscriptions/<SubscriptionID>/resourceGroups/mykeyvaultdeploymentrg/providers/Microsoft.KeyVault/vaults/<KeyVaultName>
    

打开快速入门模板Open a Quickstart template

Azure 快速入门模板是资源管理器模板的存储库。Azure QuickStart Templates is a repository for Resource Manager templates. 无需从头开始创建模板,只需找到一个示例模板并对其自定义即可。Instead of creating a template from scratch, you can find a sample template and customize it. 本教程中使用的模板称为部署简单的 Windows VMThe template used in this tutorial is called Deploy a simple Windows VM.

  1. 在 Visual Studio Code 中,选择“文件”>“打开文件”。From Visual Studio Code, select File>Open File.

  2. 在“文件名”中粘贴以下 URL:In File name, paste the following URL:

    https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.json
    
  3. 选择“打开”以打开该文件。Select Open to open the file. 它是教程:使用依赖资源创建 Azure 资源管理器模板中所用的同一个方案。It is the same scenario used in Tutorial: create Azure Resource Manager templates with dependent resources.

  4. 有五个通过此模板定义的资源:There are five resources defined by the template:

    • Microsoft.Storage/storageAccountsMicrosoft.Storage/storageAccounts.
    • Microsoft.Network/publicIPAddressesMicrosoft.Network/publicIPAddresses.
    • Microsoft.Network/virtualNetworksMicrosoft.Network/virtualNetworks.
    • Microsoft.Network/networkInterfacesMicrosoft.Network/networkInterfaces.
    • Microsoft.Compute/virtualMachinesMicrosoft.Compute/virtualMachines.

    在自定义模板之前,不妨对其进行一些基本的了解。It is helpful to get some basic understanding of the template before customizing it.

  5. 选择“文件”>“另存为”,将该文件的副本保存到名为 azuredeploy.json 的本地计算机。Select File>Save As to save a copy of the file to your local computer with the name azuredeploy.json.

  6. 重复步骤 1-4 打开以下 URL,然后将文件保存为 azuredeploy.parameters.jsonRepeat steps 1-4 to open the following URL, and then save the file as azuredeploy.parameters.json.

    https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.parameters.json
    

编辑参数文件Edit the parameters file

无需对模板文件进行任何更改。You don't need to make any changes to the template file.

  1. 在 Visual Studio Code 中打开 azuredeploy.parameters.json(如果尚未打开)。Open azuredeploy.parameters.json in Visual Studio Code if it is not opened.

  2. adminPassword 参数更新为:Update the adminPassword parameter to:

    "adminPassword": {
        "reference": {
            "keyVault": {
            "id": "/subscriptions/<SubscriptionID>/resourceGroups/mykeyvaultdeploymentrg/providers/Microsoft.KeyVault/vaults/<KeyVaultName>"
            },
            "secretName": "vmAdminPassword"
        }
    },
    

    id 替换为在上一过程中创建的 Key Vault 的资源 ID。Replace the id with the resource ID of your key vault created in the last procedure.

    集成 Key Vault 和资源管理器模板虚拟机部署参数文件

  3. 指定以下值:Give the values to:

    • adminUsername:为虚拟机管理员帐户命名。adminUsername: name the virtual machine administrator account.
    • dnsLabelPrefix:为 dnsLabelPrefix 命名。dnsLabelPrefix: name the dnsLabelPrefix.
  4. 保存更改。Save the changes.

部署模板Deploy the template

遵照部署模板中的说明部署模板。Follow the instructions in Deploy the template to deploy the template. 需在本地电脑上下载 azuredeploy.jsonazuredeploy.parameters.json,然后使用以下 PowerShell 脚本来部署模板:You need to download both azuredeploy.json and azuredeploy.parameters.json on your local PC, and then use the following PowerShell script to deploy the template:

$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"
$location = Read-Host -Prompt "Enter the location (i.e. chinaeast)"

New-AzResourceGroup -Name $resourceGroupName -Location $location
New-AzResourceGroupDeployment `
    -ResourceGroupName $resourceGroupName `
    -TemplateFile azuredeploy.json `
    -TemplateParameterFile azuredeploy.parameters.json

部署模板时,请使用 Key Vault 所在的同一个资源组。When you deploy the template, use the same resource group as the key vault. 这样可以更轻松地清理资源。It makes easier when you clean up the resources. 只需删除一个资源组,而不用删除两个。You only need to delete one resource group instead of two.

验证部署Valid the deployment

成功部署虚拟机后,使用 Key Vault 中存储的密码来测试登录。After you have successfully deployed the virtual machine, test the login using the password stored in the key vault.

  1. 打开 Azure 门户Open the Azure portal.
  2. 选择“资源组”/<YourResourceGroupName>/simpleWinVMSelect Resource grouips/<YourResourceGroupName>/simpleWinVM
  3. 选择顶部的“连接”。Select connect from the top.
  4. 选择“下载 RDP 文件”,然后遵照说明使用 Key Vault 中存储的密码登录到虚拟机。Select Download RDP File and then follow the instructions to sign in into the virtual machine using the password stored in the key vault.

清理资源Clean up resources

不再需要 Azure 资源时,请通过删除资源组来清理部署的资源。When the Azure resources are no longer needed, clean up the resources you deployed by deleting the resource group.

  1. 在 Azure 门户上的左侧菜单中选择“资源组”。From the Azure portal, select Resource group from the left menu.
  2. 在“按名称筛选”字段中输入资源组名称。Enter the resource group name in the Filter by name field.
  3. 选择资源组名称。Select the resource group name. 应会看到,该资源组中总共有六个资源。You shall see a total of six resources in the resource group.
  4. 在顶部菜单中选择“删除资源组”。Select Delete resource group from the top menu.

后续步骤Next steps

在本教程中,我们从 Azure Key Vault 检索了一个机密,并在模板部署中使用了该机密。In this tutorial, you retrieved a secret from Azure Key Vault, and used the secret in your template deployment. 若要了解如何创建链接模板,请参阅:To learn how to create linked templates, see: