Azure 密钥保管库开发人员指南Azure Key Vault Developer's Guide

使用 Key Vault 可以从应用程序中安全地访问敏感信息:Key Vault allows you to securely access sensitive information from within your applications:

  • 无需自己编写代码即可保护密钥、机密和证书,并且能够轻松地在应用程序中使用它们。Keys, secrets, and certificates are protected without having to write the code yourself and you're easily able to use them from your applications.
  • 允许客户拥有和管理自己的密钥、机密和证书,以便你可以专注于提供核心软件功能。You allow customers to own and manage their own keys, secrets, and certificates so you can concentrate on providing the core software features. 这样,应用程序便不会对客户的租户密钥、机密和证书承担职责或潜在责任。In this way, your applications will not own the responsibility or potential liability for your customers' tenant keys, secrets, and certificates.
  • 应用程序可以使用密钥进行签名和加密,不过需要使密钥管理与应用程序分开。Your application can use keys for signing and encryption yet keeps the key management external from your application. 有关密钥的详细信息,请参阅关于密钥For more information about keys, see About Keys
  • 可以通过将凭据(如密码、访问密钥和 SAS 令牌)作为机密存储在 Key Vault 中来对其进行管理,请参阅关于秘密You can manage credentials like passwords, access keys, and sas tokens by storing them in Key Vault as secrets, see About Secrets
  • 管理证书。Manage certificates. 有关详细信息,请参阅关于证书For more information, see About Certificates

有关 Azure Key Vault 的更多常规信息,请参阅什么是 Key VaultFor more general information on Azure Key Vault, see What is Key Vault.

公共预览版Public Previews

我们会定期发布新 Key Vault 功能的公共预览版。Periodically, we release a public preview of a new Key Vault feature. 欢迎试用公共预览功能,并通过反馈电子邮件地址 azurekeyvault@microsoft.com 将你的想法告诉我们。Try out public preview features and let us know what you think via azurekeyvault@microsoft.com, our feedback email address.

创建和管理密钥保管库Creating and Managing Key Vaults

与其他 Azure 服务类似,Key Vault 管理也是通过 Azure 资源管理器服务完成的。Key Vault management, similar to other Azure services, is done through Azure Resource Manager service. Azure 资源管理器是 Azure 的部署和管理服务。Azure Resource Manager is the deployment and management service for Azure. 它提供了一个管理层,用于在 Azure 帐户中创建、更新和删除资源。It provides a management layer that enables you to create, update, and delete resources in your Azure account. 有关详细信息,请参阅 Azure 资源管理器 APIFor more information, see Azure Resource Manager

对管理层的访问由 Azure 基于角色的访问控制控制。Access to management layer is controlled by Azure role-based access control. 在 Key Vault 的管理层(也称为管理或控制平面)中,可以创建和管理 Key Vault 及其属性,包括访问策略,但不包括在数据平面上托管的密钥、机密和证书。In Key Vault, management layer, also known as management or control plane, let you create and manage Key Vaults and its attributes including access policies, but not keys, secrets and certificates, which are managed on data plane. 可以使用预定义的 Key Vault Contributor 角色来授予对 Key Vault 的管理访问权限。You can use pre-defined Key Vault Contributor role to grant management access to Key Vault.

用于密钥保管库管理的 API 和 SDK:API's and SDKs for key vault management:

Azure CLIAzure CLI PowerShellPowerShell REST APIREST API Resource ManagerResource Manager .NET.NET PythonPython JavaJava JavaScriptJavaScript
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference 引用Reference
快速入门Quickstart
引用Reference 引用Reference 引用Reference 引用Reference

有关安装包和源代码的信息,请参阅客户端库See Client Libraries for installation packages and source code.

有关 Key Vault 管理平面的详细信息,请参阅 Azure Key Vault 安全功能For more information about Key Vault management plane, see Azure Key Vault security features

在代码中对 Key Vault 进行身份验证Authenticate to Key Vault in code

Key Vault 使用的 Azure AD 身份验证要求 Azure AD 安全主体授予访问权限。Key Vault is using Azure AD authentication that requires Azure AD security principal to grant access. Azure AD 安全主体可以是用户、应用程序服务主体、Azure 资源的托管标识,也可以是任何类型的安全主体的组。An Azure AD security principal may be a user, an application service principal, a managed identity for Azure resources, or a group of any type of security principals.

身份验证最佳做法Authentication best practices

建议对部署到 Azure 的应用程序使用托管标识。It is recommended to use managed identity for applications deployed to Azure. 如果使用不支持托管标识的 Azure 服务或应用程序是在本地部署的,则可以选择有证书的服务主体If you use Azure services, which do not support managed identity or if applications are deployed on premise, service principal with a certificate is a possible alternative. 在这种情况下,证书应存储在 Key Vault 中并经常轮换。In that scenario, certificate should be stored in Key Vault and rotated often. 具有机密的服务主体可用于开发和测试环境,建议在本地使用用户主体。Service principal with secret can be used for development and testing environments, and locally using user principal is recommended.

每个环境的建议安全主体:Recommended security principals per environment:

  • 生产环境Production environment:
    • 托管标识或具有证书的服务主体Managed identity or service principal with a certificate
  • 测试和开发环境Test and development environments:
    • 托管标识、具有证书的服务主体或具有机密的服务主体Managed identity, service principal with certificate or service principal with secret
  • 本地开发Local development:
    • 具有机密的用户主体或服务主体User principal or service principal with secret

上述身份验证方案由 Azure 标识客户端库提供支持,并与 Key Vault SDK 集成在一起。Above authentications scenarios are supported by Azure Identity client library and integrated with Key Vault SDKs. 无需更改代码即可在不同的环境和平台上使用 Azure 标识库。Azure Identity library can be used across different environments and platforms without changing your code. Azure 标识还将使用 Azure CLI、Visual Studio、Visual Studio Code 等从登录到 Azure 的用户中自动检索身份验证令牌。Azure Identity would also automatically retrieve authentication token from logged in to Azure user with Azure CLI, Visual Studio, Visual Studio Code, and others.

有关 Azure 标识客户端库的详细信息,请参阅:For more information about Azure Identity client libarary, see:

Azure 标识客户端库Azure Identity client libraries

.NET.NET PythonPython JavaJava JavaScriptJavaScript
Azure 标识 SDK .NETAzure Identity SDK .NET Azure 标识 SDK PythonAzure Identity SDK Python Azure 标识 SDK JavaAzure Identity SDK Java Azure 标识 SDK JavaScriptAzure Identity SDK JavaScript

备注

应用身份验证库(目前已弃用,建议使用 Key Vault .NET SDK 版本 3)。App Authentication library which was recommended for Key Vault .NET SDK version 3, which is currently depracated . 请按照 AppAuthentication to Azure.Identity 迁移指南迁移到 Key Vault .NET SDK 版本 4。Please follow AppAuthentication to Azure.Identity Migration Guidance to migrate to Key Vault .NET SDK Version 4.

有关如何在应用程序中对 Key Vault 进行身份验证的教程,请参阅:For tutorials on how to authenticate to Key Vault in applications, see:

管理密钥、证书和机密Manage keys, certificates, and secrets

对密钥、机密和证书的访问由数据平面控制。Access to keys, secrets, and certificates is controlled by data plane. 可以使用本地保管库访问策略或 Azure RBAC 完成数据平面访问控制。Data plane access control can be done using local vault access policies or Azure RBAC.

密钥 API 和 SDKKeys API's and SDKs

Azure CLIAzure CLI PowerShellPowerShell REST APIREST API Resource ManagerResource Manager .NET.NET PythonPython JavaJava JavaScriptJavaScript
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference 引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart

证书 API 和 SDKCertificates API's and SDKs

Azure CLIAzure CLI PowerShellPowerShell REST APIREST API Resource ManagerResource Manager .NET.NET PythonPython JavaJava JavaScriptJavaScript
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference 空值N/A 引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart

机密 API 和 SDKSecrets API's and SDKs

Azure CLIAzure CLI PowerShellPowerShell REST APIREST API Resource ManagerResource Manager .NET.NET PythonPython JavaJava JavaScriptJavaScript
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference 引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart
引用Reference
快速入门Quickstart

有关安装包和源代码的信息,请参阅客户端库See Client Libraries for installation packages and source code.

有关 Key Vault 数据平面安全性的详细信息,请参阅 Azure Key Vault 安全功能For more information about Key Vault data plane security, see Azure Key Vault security features.

代码示例Code examples

有关在应用程序中使用密钥保管库的完整示例,请参阅:For complete examples using Key Vault with your applications, see:

操作方法How-tos

以下文章和方案提供了特定于任务的指导,方便用户使用 Azure Key Vault:The following articles and scenarios provide task-specific guidance for working with Azure Key Vault:

与密钥保管库集成Integrated with Key Vault

这些文章介绍了使用 Key Vault 或与之集成的其他方案和服务。These articles are about other scenarios and services that use or integrate with Key Vault.

  • 静态加密可以在持久保存数据时对数据进行编码(加密)。Encryption at rest allows the encoding (encryption) of data when it is persisted. 数据加密密钥通常由 Azure Key Vault 中的密钥加密密钥进行加密,以进一步限制访问。Data encryption keys are often encrypted with a key encryption key in Azure Key Vault to further limit access.
  • 使用 Azure 专用链接服务,可以通过虚拟网络中的专用终结点访问 Azure 服务(例如 Azure Key Vault、Azure 存储和 Azure Cosmos DB)以及 Azure 托管的客户服务/合作伙伴服务。Azure Private Link Service enables you to access Azure Services (for example, Azure Key Vault, Azure Storage, and Azure Cosmos DB) and Azure hosted customer/partner services over a Private Endpoint in your virtual network.
  • 通过将 Key Vault 与事件网格集成,用户可以在密钥保管库中存储的机密的状态发生更改时收到通知。Key Vault integration with Event Grid allows users to be notified when the status of a secret stored in key vault has changed. 可以将新版本的机密分发到应用程序,也可以轮换即将到期的机密,以防止中断。You can distribute new version of secrets to applications or rotate near expiry secrets to prevent outages.
  • 可以防止自己的 Azure Devops 机密在 Key Vault 中被意外访问。You can protect your Azure Devops secrets from unwanted access in Key Vault.
  • 使用 DataBricks 的密钥保管库中存储的机密连接到 Azure 存储Use secret stored in Key Vault in DataBricks to connect to Azure Storage
  • 为 Kubernetes 上的机密存储 CSI 驱动程序配置并运行 Azure Key Vault 提供程序Configure and run the Azure Key Vault provider for the Secrets Store CSI driver on Kubernetes

Key Vault 概述和概念Key Vault overviews and concepts