如何使用资源管理器模板创建 Azure 密钥保管库和保管库访问策略How to create an Azure key vault and vault access policy by using a Resource Manager template

Azure Key Vault 是一项云服务,它为密钥、密码和证书等机密提供了安全的存储。Azure Key Vault is a cloud service that provides a secure store for secrets like keys, passwords, and certificates. 本文介绍了部署 Azure 资源管理器模板(ARM 模板)以创建密钥保管库的过程。This article describes the process for deploying an Azure Resource Manager template (ARM template) to create a key vault.

ARM 模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. 该模板使用声明性语法,使你可以声明要部署的内容,而不需要编写一系列编程命令来进行创建。The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it.

先决条件Prerequisites

完成本文中的步骤:To complete the steps in this article:

  • 如果没有 Azure 订阅,请在开始之前创建试用版If you don't have an Azure subscription, create a Trial before you start.

创建 Key Vault 资源管理器模板Create a Key Vault Resource Manager template

以下模板显示了创建密钥保管库的基本方式。The following template shows a basic way to create a key vault. 某些值在模板中指定。Some values are specified in the template.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVaultName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the key vault."
      }
    },
    "skuName": {
      "type": "string",
      "defaultValue": "Standard",
      "allowedValues": [
        "Standard",
        "Premium"
      ],
      "metadata": {
        "description": "Specifies whether the key vault is a standard vault or a premium vault."
      }
    }
   },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2019-09-01",
      "name": "[parameters('keyVaultName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "enabledForDeployment": "false",
        "enabledForDiskEncryption": "false",
        "enabledForTemplateDeployment": "false",
        "tenantId": "[subscription().tenantId]",
        "accessPolicies": [],
        "sku": {
          "name": "[parameters('skuName')]",
          "family": "A"
        },
        "networkAcls": {
          "defaultAction": "Allow",
          "bypass": "AzureServices"
        }
      }
    }
  ]
}

有关 Key Vault 模板设置的详细信息,请参阅 Key Vault ARM 模板参考For more about Key Vault template settings, see Key Vault ARM template reference.

重要

如果重新部署了模板,则将覆盖密钥保管库中的任何现有访问策略。If a template is redeployed, any existing access policies in the key vault will be overridden. 建议你使用现有的访问策略填充 accessPolicies 属性,以免失去对密钥保管库的访问权限。We recommend that you populate the accessPolicies property with existing access policies to avoid losing access to the key vault.

将访问策略添加到 Key Vault 资源管理器模板Add an access policy to a Key Vault Resource Manager template

可以向现有密钥保管库部署访问策略,而无需重新部署整个密钥保管库模板。You can deploy access policies to an existing key vault without redeploying the entire key vault template. 以下模板显示了创建访问策略的基本方式:The following template shows a basic way to create access policies:

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVaultName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the key vault."
      }
    },
    "objectId": {
      "type": "string",
      "metadata": {
        "description": "Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets."
      }
    },
    "keysPermissions": {
      "type": "array",
      "defaultValue": [
        "list"
      ],
      "metadata": {
        "description": "Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge."
      }
    },
    "secretsPermissions": {
      "type": "array",
      "defaultValue": [
        "list"
      ],
      "metadata": {
        "description": "Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge."
      }
    },
    "certificatePermissions": {
      "type": "array",
      "defaultValue": [
        "list"
      ],
      "metadata": {
        "description": "Specifies the permissions to certificates in the vault. Valid values are: all,  create, delete, update, deleteissuers, get, getissuers, import, list, listissuers, managecontacts, manageissuers,  recover, backup, restore, setissuers, and purge."
      }
    },
  "resources": [
     {
      "type": "Microsoft.KeyVault/vaults/accessPolicies",
      "name": "[concat(parameters('keyVaultName'), '/add')]",
      "apiVersion": "2019-09-01",
      "properties": {
        "accessPolicies": [
          {
            "tenantId": "[subscription().tenantId]",
            "objectId": "[parameters('objectId')]",
            "permissions": {
              "keys": "[parameters('keysPermissions')]",
              "secrets": "[parameters('secretsPermissions')]",
              "certificates": "[parameters('certificatesPermissions')]"
            }
          }
        ]
      }
    }
  ]
}

有关 Key Vault 模板设置的详细信息,请参阅 Key Vault ARM 模板参考For more information about Key Vault template settings, see Key Vault ARM template reference.

更多 Key Vault 资源管理器模板More Key Vault Resource Manager templates

还有其他资源管理器模板可用于 Key Vault 对象:There are other Resource Manager templates available for Key Vault objects:

机密Secrets Keys 证书Certificates
不可用N/A 不可用N/A

可在以下文章中找到更多 Key Vault 模板:Key Vault 资源管理器参考You can find more Key Vault templates here: Key Vault Resource Manager reference.

部署模板Deploy the templates

可以使用 Azure 门户来部署上述模板,方法是按下面所述使用“在编辑器中生成自己的模板”选项:从自定义模板部署资源You can use the Azure portal to deploy the preceding templates by using the Build your own template in editor option as described here: Deploy resources from a custom template.

还可以将上述模板保存到文件中,并使用以下命令:New-AzResourceGroupDeploymentaz deployment group createYou can also save the preceding templates to files and use these commands: New-AzResourceGroupDeployment and az deployment group create:

New-AzResourceGroupDeployment -ResourceGroupName ExampleGroup -TemplateFile key-vault-template.json
az deployment group create --resource-group ExampleGroup --template-file key-vault-template.json

清理资源Clean up resources

如果打算继续使用后续的快速入门和教程,则可以将这些资源保留在原处。If you plan to continue with subsequent quickstarts and tutorials, you can leave these resources in place. 当不再需要资源时,请删除资源组。When you don't need the resources any longer, delete the resource group. 如果删除该组,则也会删除密钥保管库和相关资源。If you delete the group, the key vault and related resources are also deleted. 若要使用 Azure CLI 或 Azure PowerShell 删除资源组,请完成以下步骤:To delete the resource group by using the Azure CLI or Azure PowerShell, complete these steps:

echo "Enter the Resource Group name:" &&
read resourceGroupName &&
az group delete --name $resourceGroupName &&
echo "Press [ENTER] to continue ..."

资源Resources

后续步骤Next steps