将 Azure Key Vault 移动到另一个订阅Moving an Azure Key Vault to another subscription

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

概述Overview

重要

将密钥保管库移动到另一个订阅会导致环境发生中断性变更。Moving a key vault to another subscription will cause a breaking change to your environment. 在决定将密钥保管库移动到新订阅之前,请确保你了解此变更的影响,并仔细遵循本文中的指导。Make sure you understand the impact of this change and follow the guidance in this article carefully before deciding to move key vault to a new subscription. 如果使用的是托管服务标识 (MSI),请阅读此文档末尾的移动后说明。If you are using Managed Service Identities (MSI) please read the post-move instructions at the end of the document.

创建密钥保管库时,它会自动绑定到创建它的订阅的默认 Azure Active Directory 租户 ID。When you create a key vault, it is automatically tied to the default Azure Active Directory tenant ID for the subscription in which it is created. 所有访问策略条目也都绑定到此租户 ID。All access policy entries are also tied to this tenant ID. 如果将 Azure 订阅从租户 A 移到租户 B,租户 B 中的服务主体(用户和应用程序)将无法访问现有的密钥保管库。若要解决此问题,需执行以下操作:If you move your Azure subscription from tenant A to tenant B, your existing key vaults will be inaccessible by the service principals (users and applications) in tenant B. To fix this issue, you need to:

  • 将与订阅中所有现有密钥保管库关联的租户 ID 更改到租户 B。Change the tenant ID associated with all existing key vaults in the subscription to tenant B.
  • 删除所有现有的访问策略条目。Remove all existing access policy entries.
  • 添加与租户 B 关联的新访问策略条目。Add new access policy entries associated with tenant B.

限制Limitations

某些服务主体(用户和应用程序)绑定到特定的租户。Some service principals (users and applications) are bound to a specific tenant. 如果将密钥保管库移动到其他租户中的订阅,则可能无法还原对特定服务主体的访问权限。If you move your key vault to a subscription in another tenant, there is a chance that you will not be able to restore access to a specific service principal. 请进行检查,确保在要将密钥保管库移动到其中的租户中存在所有基本的服务主体。Check to make sure that all essential service principals exist in the tenant where you are moving your key vault.

设计注意事项Design considerations

你的组织可能已在订阅级别实施了带有强制执行或排除机制的 Azure Policy。Your organization may have implemented Azure Policy with enforcement or exclusions at the subscription level. 在密钥保管库当前所在的订阅与要将密钥保管库移动到其中的订阅之间,可能存在一组不同的策略分配。There may be a different set of policy assignments in the subscription where your key vault currently exists and the subscription where you are moving your key vault. 如果策略要求冲突,可能会破坏应用程序。A conflict in policy requirements has the potential to break your applications.

示例Example

你有一个连接到密钥保管库的应用程序,该密钥保管库创建的证书有效期为两年。You have an application connected to key vault that creates certificates that are valid for two years. 你尝试将密钥保管库移动到其中的订阅有一个策略分配,该策略分配阻止创建有效期超过一年的证书。The subscription where you are attempting to move your key vault has a policy assignment that blocks the creation of certificates that are valid for longer than one year. 将密钥保管库移动到新订阅后,创建有效期为两年的证书的操作会被 Azure 策略分配阻止。After moving your key vault to the new subscription the operation to create a certificate that is valid for two years will be blocked by an Azure policy assignment.

解决方案Solution

请确保转到 Azure 门户上的“Azure Policy”页,查看当前订阅的策略分配以及要移动到其中的订阅的策略分配,并确保没有不匹配项。Make sure that you go to the Azure Policy page on the Azure portal and look at the policy assignments for your current subscription as well as the subscription you are moving to and ensure that there are no mismatches.

先决条件Prerequisites

  • 对密钥保管库所在的当前订阅具有参与者级别或更高级别的访问权限。Contributor level access or higher to the current subscription where your key vault exists.
  • 对要将密钥保管库移动到其中的订阅具有参与者级别或更高级别的访问权限。Contributor level access or higher to the subscription where you want to move your key vault.
  • 新订阅中有一个资源组。A resource group in the new subscription.

过程Procedure

将 Key Vault 移到同一租户中的新订阅Moving Key Vault to a new subscription within the same tenant

  1. 登录到 Azure 门户Log in to the Azure portal
  2. 导航到你的密钥保管库Navigate to your key vault
  3. 单击“概览”选项卡Click on the "Overview" tab
  4. 选择“移动”按钮Select the "Move" button
  5. 从下拉选项中选择“移动到另一个订阅”Select "Move to another subscription" from the dropdown options
  6. 选择要将密钥保管库移动到其中的资源组Select the resource group where you want to move your key vault
  7. 确认有关移动资源的警告Acknowledge the warning regarding moving resources
  8. 选择“确定”Select "OK"

附加步骤(如果将密钥保管库移到了新租户中的订阅)Additional steps if you moved key vault to a subscription in a new tenant

如果将密钥保管库移到了新租户中的订阅,则需要手动更新租户 ID 并删除旧的访问策略。If you moved your key vault to a subscription in a new tenant, you need to manually update the tenant ID and remove old access policies. 下面是通过 PowerShell 和 Azure CLI 执行这些步骤的教程。Here are tutorials for these steps in PowerShell and Azure CLI. 如果使用的是 PowerShell,可能需要运行下面所述的 Clear-AzContext 命令,这样就能查看当前所选范围外的资源。If you are using PowerShell you may need to run the Clear-AzContext command documented below to allow you to see resources outside your current selected scope.

Select-AzSubscription -SubscriptionId <your-subscriptionId>                # Select your Azure Subscription
$vaultResourceId = (Get-AzKeyVault -VaultName myvault).ResourceId          # Get your key vault's Resource ID 
$vault = Get-AzResource –ResourceId $vaultResourceId -ExpandProperties     # Get the properties for your key vault
$vault.Properties.TenantId = (Get-AzContext).Tenant.TenantId               # Change the Tenant that your key vault resides in
$vault.Properties.AccessPolicies = @()                                     # Access policies can be updated with real
                                                                           # applications/users/rights so that it does not need to be                             # done after this whole activity. Here we are not setting 
                                                                           # any access policies. 
Set-AzResource -ResourceId $vaultResourceId -Properties $vault.Properties  # Modifies the key vault's properties.

Clear-AzContext                                                            #Clear the context from PowerShell
Connect-AzAccount -EnvironmentName AzureChinaCloud                         #Log in again to confirm you have the correct tenant id
az cloud set -n AzureChinaCloud
az account set -s <your-subscriptionId>                                    # Select your Azure Subscription
tenantId=$(az account show --query tenantId)                               # Get your tenantId
az keyvault update -n myvault --remove Properties.accessPolicies           # Remove the access policies
az keyvault update -n myvault --set Properties.tenantId=$tenantId          # Update the key vault tenantId

既然保管库已与正确的租户 ID 关联,并且旧的访问策略条目已删除,请使用 Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet 或 Azure CLI az keyvault set-policy 命令设置新的访问策略条目。Now that your vault is associated with the correct tenant ID and old access policy entries are removed, set new access policy entries with the Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet or the Azure CLI az keyvault set-policy command.

如果使用的是 Azure 资源的托管标识,则还需要将其更新为新的 Azure Active Directory 租户。If you are using a managed identity for Azure resources, you will need to update it to the new Azure Active Directory tenant as well. 有关托管标识的详细信息,请参阅托管标识概述For more information on managed identities, Managed identity overview.

如果使用的是托管标识,则还必须更新标识,因为旧标识将不再位于相应的 Azure Active Directory 租户中。If you are using managed identity, you'll also have to update the identity because the old identity will no longer be in the correct Azure Active Directory tenant. 参阅下述有助于解决此问题的文档。See the following documents to help resolve this issue.