使用 Key Vault 中存储的密码部署 Azure Stack VMDeploy an Azure Stack VM using a password stored in Key Vault

适用于:Azure Stack 集成系统和 Azure Stack 开发工具包Applies to: Azure Stack integrated systems and Azure Stack Development Kit

本文介绍如何使用 Azure Stack 密钥保管库中存储的密码部署 Windows Server 虚拟机 (VM)。This article steps through deploying a Windows Server virtual machine (VM) using a password stored in Azure Stack Key Vault. 使用密钥保管库密码比传递纯文本密码更安全。Using a key vault password is more secure than passing a plain text password.

概述Overview

可以将密码等值作为机密存储在 Azure Stack 密钥保管库中。You can store values such as a password as a secret in an Azure Stack key vault. 创建机密后,可以在 Azure 资源管理器模板中引用它。After you create a secret, you can reference it in Azure Resource Manager templates. 通过资源管理器使用机密提供以下好处:Using secrets with Resource Manager provides the following benefits:

  • 每次部署资源时不必手动输入机密。You don't have to manually enter secret each time you deploy a resource.
  • 可以指定哪些用户或服务主体可以访问机密。You can specify which users or service principals can access a secret.

先决条件Prerequisites

以下步骤说明通过检索 Key Vault 中存储的密码创建 VM 所需的过程:The following steps describe the process required to create a VM by retrieving the password stored in a Key Vault:

  1. 创建 Key Vault 机密。Create a Key Vault secret.
  2. 更新 azuredeploy.parameters.json 文件。Update the azuredeploy.parameters.json file.
  3. 部署模板。Deploy the template.

Note

可以通过 Azure Stack 开发工具包 (ASDK) 或者外部客户端(如果已通过 VPN 建立连接)执行这些步骤。You can use these steps from the Azure Stack Development Kit (ASDK), or from an external client if you're connected through VPN.

创建 Key Vault 机密Create a Key Vault secret

以下脚本创建密钥保管库,并将密码作为机密存储在密钥保管库中。The following script creates a key vault and stores a password in the key vault as a secret. 创建密钥保管库时,请使用 -EnabledForDeployment 参数。Use the -EnabledForDeployment parameter when you're creating the key vault. 此参数可确保能够从 Azure 资源管理器模板引用密钥保管库。This parameter makes sure that the key vault can be referenced from Azure Resource Manager templates.


$vaultName = "contosovault"
$resourceGroup = "contosovaultrg"
$location = "local"
$secretName = "MySecret"

New-AzureRmResourceGroup `
  -Name $resourceGroup `
  -Location $location

New-AzureRmKeyVault `
  -VaultName $vaultName `
  -ResourceGroupName $resourceGroup `
  -Location $location
  -EnabledForTemplateDeployment

$secretValue = ConvertTo-SecureString -String '<Password for your virtual machine>' -AsPlainText -Force

Set-AzureKeyVaultSecret `
  -VaultName $vaultName `
  -Name $secretName `
  -SecretValue $secretValue

运行前面的脚本时,输出会包括机密 URI(统一资源标识符)。When you run the previous script, the output includes the secret URI (Uniform Resource Identifier). 请记下此 URI。Make a note of this URI. 使用密钥保管库中的密码部署 Windows VM 模板中,需要引用此 URI。You have to reference it in the Deploy Windows VM with password in key vault template. 101-vm-secure-password 文件夹下载到开发计算机上。Download the 101-vm-secure-password folder onto your development computer. 此文件夹包含 azuredeploy.jsonazuredeploy.parameters.json 文件,在后续步骤中将需要这些文件。This folder contains the azuredeploy.json and azuredeploy.parameters.json files, which you'll need in the next steps.

根据环境值,修改 azuredeploy.parameters.json 文件。Modify the azuredeploy.parameters.json file according to your environment values. 要注意的参数是保管库名称、保管库资源组和机密 URI(由前面的脚本生成)。The parameters of special interest are the vault name, the vault resource group, and the secret URI (as generated by the previous script). 以下文件是参数文件的示例。The file below is an example of a parameter file.

更新 azuredeploy.parameters.json 文件Update the azuredeploy.parameters.json file

根据环境,以 KeyVault URI、secretName、VM 的 adminUsername 值更新 azuredeploy.parameters.json 文件。Update the azuredeploy.parameters.json file with the KeyVault URI, secretName, adminUsername of the VM values as per your environment. 以下 JSON 文件显示模板参数文件的示例:The following JSON file shows an example of the template parameters file:

{
    "$schema":  "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
    "contentVersion":  "1.0.0.0",
    "parameters":  {
       "adminUsername":  {
         "value":  "demouser"
          },
         "adminPassword":  {
           "reference":  {
              "keyVault":  {
                "id":  "/subscriptions/xxxxxx/resourceGroups/RgKvPwd/providers/Microsoft.KeyVault/vaults/KvPwd"
                },
              "secretName":  "MySecret"
           }
         },
       "dnsLabelPrefix":  {
          "value":  "mydns123456"
        },
        "windowsOSVersion":  {
          "value":  "2016-Datacenter"
        }
    }
}

模板部署Template deployment

现在,使用以下 PowerShell 脚本部署模板:Now deploy the template by using the following PowerShell script:

New-AzureRmResourceGroupDeployment `
  -Name KVPwdDeployment `
  -ResourceGroupName $resourceGroup `
  -TemplateFile "<Fully qualified path to the azuredeploy.json file>" `
  -TemplateParameterFile "<Fully qualified path to the azuredeploy.parameters.json file>"

成功部署模板后,会生成以下输出:When the template is deployed successfully, it results in the following output:

部署输出

后续步骤Next steps