使用 Azure CLI 管理密钥保管库Manage Key Vault using the Azure CLI

本文介绍如何开始使用 Azure CLI 处理 Azure 密钥保管库。This article covers how to get started working with Azure Key Vault using the Azure CLI. 你可以获得以下信息:You can see information on:

  • 如何在 Azure 中创建强化的容器(保管库)How to create a hardened container (a vault) in Azure
  • 将密钥、机密或证书添加到密钥保管库Adding a key, secret, or certificate to the key vault
  • 将应用程序注册到 Azure Active DirectoryRegistering an application with Azure Active Directory
  • 授权应用程序使用密钥或机密Authorizing an application to use a key or secret
  • 设置密钥保管库高级访问策略Setting key vault advanced access policies
  • 删除密钥保管库以及关联的密钥和机密Deleting the key vault and associated keys and secrets
  • 其他 Azure 跨平台命令行接口命令Miscellaneous Azure Cross-Platform Command-line Interface Commands

大多数区域都提供了 Azure 密钥保管库。Azure Key Vault is available in most regions. 有关详细信息,请参阅 密钥保管库定价页For more information, see the Key Vault pricing page.

Note

本文未说明如何编写其中一个步骤所包括的 Azure 应用程序,但说明了如何授权应用程序使用 Key Vault 中的密钥或机密。This article does not include instructions on how to write the Azure application that one of the steps includes, which shows how to authorize an application to use a key or secret in the key vault.

有关 Azure Key Vault 的概述,请参阅什么是 Azure Key Vault?For an overview of Azure Key Vault, see What is Azure Key Vault? 如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

先决条件Prerequisites

若要使用本文中的 Azure CLI 命令,必须准备好以下各项:To use the Azure CLI commands in this article, you must have the following items:

  • Azure 订阅。A subscription to Azure. 如果没有,可以注册试用帐户If you don't have one, you can sign up for a trial account.
  • Azure 命令行接口版本 2.0 或更高版本。Azure Command-Line Interface version 2.0 or later. 若要安装最新版本,请参阅安装 Azure CLITo install the latest version, see Install the Azure CLI.
  • 配置为使用本文中所创建的密钥或密码的应用程序。An application that will be configured to use the key or password that you create in this article. 可以从 Microsoft 下载中心获取示例应用程序。A sample application is available from the Microsoft Download Center. 有关说明,请参阅随附的自述文件。For instructions, see the included Readme file.

获得 Azure 跨平台命令行接口帮助Getting help with Azure Cross-Platform Command-Line Interface

本文假设你熟悉命令行接口(Bash、终端、命令提示符)。This article assumes that you're familiar with the command-line interface (Bash, Terminal, Command prompt).

可以使用 --help 或 -h 参数来查看特定命令的帮助。The --help or -h parameter can be used to view help for specific commands. 或者,也可以使用 Azure help [命令] [选项] 格式。Alternately, The Azure help [command] [options] format can also be used too. 如果对某个命令所需的参数有疑问,请参阅帮助。When in doubt about the parameters needed by a command, refer to help. 例如,以下命令都返回相同信息:For example, the following commands all return the same information:

az account set --help
az account set -h

也可以阅读以下文章来熟悉如何在 Azure 跨平台命令行接口中使用 Azure 资源管理器:You can also read the following articles to get familiar with Azure Resource Manager in Azure Cross-Platform Command-Line Interface:

如何在 Azure 中创建强化的容器(保管库)How to create a hardened container (a vault) in Azure

保管库可以集中存储应用程序机密,降低安全信息意外丢失的可能性。Vaults help reduce the chances of accidental loss of security information by centralizing the storage of application secrets. Key Vault 还控制并记录外界对其所存储内容的访问。Key Vaults also control and log the access to anything stored in them. Azure Key Vault 负责处理传输层安全性 (TLS) 证书的请求和续订事宜,其提供的功能是可靠的证书生命周期管理解决方案所必需的。Azure Key Vault can handle requesting and renewing Transport Layer Security (TLS) certificates, providing the features required for a robust certificate lifecycle management solution. 在后续步骤中,将创建一个保管库。In the next steps, you will create a vault.

连接到订阅Connect to your subscriptions

若要以交互方式登录,请使用以下命令:To sign in interactively, use the following command:

az cloud set -n AzureChinaCloud
az login

若要使用组织帐户登录,可以传入自己的用户名和密码。To sign in using an organizational account, you can pass in your username and password.

az cloud set -n AzureChinaCloud
az login -u username@domain.com -p password

如果有多个订阅,并需要指定要使用的订阅,请键入以下内容以查看帐户的订阅:If you have more than one subscription and need to specify which to use, type the following to see the subscriptions for your account:

az account list

使用订阅参数指定订阅。Specify a subscription with the subscription parameter.

az account set --subscription <subscription name or ID>

有关配置 Azure 跨平台命令行接口的详细信息,请参阅安装 Azure CLIFor more information about configuring Azure Cross-Platform Command-Line Interface, see Install Azure CLI.

创建新的资源组Create a new resource group

使用 Azure Resource Manager 时,会在资源组中创建所有相关资源。When using Azure Resource Manager, all related resources are created inside a resource group. 可在现有的资源组中创建 Key Vault。You can create a key vault in an existing resource group. 如果想要使用新资源组,可以新建一个。If you want to use a new resource group, you can create a new one.

az group create -n "ContosoResourceGroup" -l "China North"

第一个参数是资源组名称,第二个参数是位置。The first parameter is resource group name and the second parameter is the location. 若要获取所有可能的位置类型的列表:To get a list of all possible locations type:

az account list-locations

注册密钥保管库资源提供程序Register the Key Vault resource provider

尝试创建新的 Key Vault 时,可能会看到错误“订阅未注册,无法使用命名空间‘Microsoft.KeyVault’”。You may see the error "The subscription is not registered to use namespace 'Microsoft.KeyVault'" when you try to create a new key vault. 如果显示此消息,请确保在订阅中注册 Key Vault 资源提供程序。If that message appears, make sure that Key Vault resource provider is registered in your subscription. 对每个订阅而言,这都是一次性操作。This is a one-time operation for each subscription.

az provider register -n Microsoft.KeyVault

创建密钥保管库Create a key vault

使用 az keyvault create 命令来创建密钥保管库。Use the az keyvault create command to create a key vault. 此脚本包含三个必需参数:资源组名称、密钥保管库名称和地理位置。This script has three mandatory parameters: a resource group name, a key vault name, and the geographic location.

若要在位于“中国北部”位置的资源组 ContosoResourceGroup 中创建名为 ContosoKeyVault 的新保管库,请键入: To create a new vault with the name ContosoKeyVault, in the resource group ContosoResourceGroup, residing in the China North location, type:

az keyvault create --name "ContosoKeyVault" --resource-group "ContosoResourceGroup" --location "China North"

此命令的输出会显示创建的 Key Vault 的属性。The output of this command shows properties of the key vault that you've created. 两个最重要的属性是:The two most important properties are:

  • name:在本示例中,名称为 ContosoKeyVault。name: In the example, the name is ContosoKeyVault. 将在其他 Key Vault 命令中使用此名称。You'll use this name for other Key Vault commands.
  • vaultUri:在本示例中,URI 为 https://contosokeyvault.vault.azure.cnvaultUri: In the example, the URI is https://contosokeyvault.vault.azure.cn. 通过其 REST API 使用保管库的应用程序必须使用此 URI。Applications that use your vault through its REST API must use this URI.

Azure 帐户现已获取在此密钥保管库上执行任何作业的授权。Your Azure account is now authorized to perform any operations on this key vault. 到目前为止,尚未授权其他任何人。As of yet, nobody else is authorized.

将密钥、机密或证书添加到密钥保管库Adding a key, secret, or certificate to the key vault

若要在 Azure Key Vault 中创建一个受软件保护的密钥,请使用 az key create 命令。If you want Azure Key Vault to create a software-protected key for you, use the az key create command.

az keyvault key create --vault-name "ContosoKeyVault" --name "ContosoFirstKey" --protection software

如果在 .pem 文件中保留了现有的密钥,可将此文件上传到 Azure Key Vault。If you have an existing key in a .pem file, you can upload it to Azure Key Vault. 可以选择使用软件保护密钥。You can choose to protect the key with software. 此示例从 .pem 文件导入密钥,并使用密码“hVFkk965BuUv”通过软件对其进行保护:This example imports the key from the .pem file and protect it with software, using the password "hVFkk965BuUv":

az keyvault key import --vault-name "ContosoKeyVault" --name "ContosoFirstKey" --pem-file "./softkey.pem" --pem-password "hVFkk965BuUv" --protection software

现在,可以通过使用密钥的 URI,引用已创建或上传到 Azure 密钥保管库的密钥。You can now reference the key that you created or uploaded to Azure Key Vault, by using its URI. 使用 https://ContosoKeyVault.vault.azure.cn/keys/ContosoFirstKey 始终会获取当前版本。Use https://ContosoKeyVault.vault.azure.cn/keys/ContosoFirstKey to always get the current version. 使用 https://[keyvault-name].vault.azure.cn/keys/[keyname]/[key-unique-id] 获取此特定版本。Use https://[keyvault-name].vault.azure.cn/keys/[keyname]/[key-unique-id] to get this specific version. 例如, https://ContosoKeyVault.vault.azure.cn/keys/ContosoFirstKey/cgacf4f763ar42ffb0a1gca546aygd87For example, https://ContosoKeyVault.vault.azure.cn/keys/ContosoFirstKey/cgacf4f763ar42ffb0a1gca546aygd87.

将机密(名为 SQLPassword 的密码,其值为“hVFkk965BuUv”)添加到 Azure 密钥保管库。Add a secret to the vault, which is a password named SQLPassword, and that has the value of "hVFkk965BuUv" to Azure Key Vaults.

az keyvault secret set --vault-name "ContosoKeyVault" --name "SQLPassword" --value "hVFkk965BuUv "

使用此密码的 URI 引用此密码。Reference this password by using its URI. 使用 https://ContosoVault.vault.azure.cn/secrets/SQLPassword 始终会获取当前版本,使用 https://[keyvault-name].vault.azure.cn/secret/[secret-name]/[secret-unique-id] 会获取此特定版本。Use https://ContosoVault.vault.azure.cn/secrets/SQLPassword to always get the current version, and https://[keyvault-name].vault.azure.cn/secret/[secret-name]/[secret-unique-id] to get this specific version. 例如, https://ContosoVault.vault.azure.cn/secrets/SQLPassword/90018dbb96a84117a0d2847ef8e7189dFor example, https://ContosoVault.vault.azure.cn/secrets/SQLPassword/90018dbb96a84117a0d2847ef8e7189d.

使用 .pem 或 .pfx 将证书导入保管库。Import a certificate to the vault using a .pem or .pfx.

az keyvault certificate import --vault-name "ContosoKeyVault" --file "c:\cert\cert.pfx" --name "ContosoCert" --password "hVFkk965BuUv"

让我们查看创建的密钥、机密或证书:Let's view the key, secret, or certificate that you created:

  • 若要查看密钥,请键入:To view your keys, type:
az keyvault key list --vault-name "ContosoKeyVault"
  • 若要查看机密,请键入:To view your secrets, type:
az keyvault secret list --vault-name "ContosoKeyVault"
  • 若要查看证书,请键入:To view certificates, type:
az keyvault certificate list --vault-name "ContosoKeyVault"

将应用程序注册到 Azure Active DirectoryRegistering an application with Azure Active Directory

此步骤通常由开发人员在独立的计算机上完成。This step would usually be done by a developer, on a separate computer. 此步骤并非特定于 Azure Key Vault,本文介绍此步骤仅供你了解。It isn't specific to Azure Key Vault but is included here, for awareness. 若要完成应用注册,你的帐户、保管库和应用程序需在同一个 Azure 目录中。To complete the app registration, your account, the vault, and the application need to be in the same Azure directory.

使用密钥保管库的应用程序必须使用 Azure Active Directory 的令牌进行身份验证。Applications that use a key vault must authenticate by using a token from Azure Active Directory. 应用程序的所有者必须先将其注册到 Azure Active Directory 中。The owner of the application must register it in Azure Active Directory first. 注册结束后,应用程序所有者获得以下值:At the end of registration, the application owner gets the following values:

  • 应用程序 ID(也称为 AAD 客户端 ID 或 appID)An Application ID (also known as the AAD Client ID or appID)
  • 身份验证密钥(也称共享机密)。An authentication key (also known as the shared secret).

应用程序必须向 Azure Active Directory 提供这两个值才能获取令牌。The application must present both these values to Azure Active Directory, to get a token. 如何将应用程序配置为获取令牌取决于应用程序。How an application is configured to get a token will depend on the application. 对于 Key Vault 示例应用程序,应用程序所有者会在 app.config 文件中设置这些值。For the Key Vault sample application, the application owner sets these values in the app.config file.

有关将应用程序注册到 Azure Active Directory 的详细步骤,请参阅文章将应用程序与 Azure Active Directory 集成使用门户创建可访问资源的 Azure Active Directory 应用程序和服务主体以及使用 Azure CLI 2.0 创建 Azure 服务主体For detailed steps on registering an application with Azure Active Directory you should review the articles titled Integrating applications with Azure Active Directory, Use portal to create an Azure Active Directory application and service principal that can access resources, and Create an Azure service principal with Azure CLI 2.0.

在 Azure Active Directory 中注册应用程序:To register an application in Azure Active Directory:

az ad sp create-for-rbac -n "MyApp" --password "hVFkk965BuUv" --skip-assignment
# If you don't specify a password, one will be created for you.

授权应用程序使用密钥或机密Authorizing an application to use a key or secret

若要授权应用程序访问保管库中的密钥或机密,请使用 az keyvault set-policy 命令。To authorize the application to access the key or secret in the vault, use the az keyvault set-policy command.

例如,如果保管库名称是 ContosoKeyVault,应用程序的 appID 为 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed,并且你想要授权应用程序使用保管库中的密钥来进行解密和签名,请使用以下命令:For example, if your vault name is ContosoKeyVault, the application has an appID of 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed, and you want to authorize the application to decrypt and sign with keys in your vault, use the following command:

az keyvault set-policy --name "ContosoKeyVault" --spn 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed --key-permissions decrypt sign

若要授权同一应用程序读取保管库中的机密,请键入以下命令:To authorize the same application to read secrets in your vault, type the following command:

az keyvault set-policy --name "ContosoKeyVault" --spn 8f8c4bbd-485b-45fd-98f7-ec6300b7b4ed --secret-permissions get

设置密钥保管库高级访问策略Setting key vault advanced access policies

使用 az keyvault update 为 Key Vault 启用高级策略。Use az keyvault update to enable advanced policies for the key vault.

为部署启用 Key Vault:允许虚拟机从保管库中检索作为机密存储的证书。Enable Key Vault for deployment: Allows virtual machines to retrieve certificates stored as secrets from the vault.

az keyvault update --name "ContosoKeyVault" --resource-group "ContosoResourceGroup" --enabled-for-deployment "true"

为磁盘加密启用 Key Vault:将保管库用于 Azure 磁盘加密时必需。Enable Key Vault for disk encryption: Required when using the vault for Azure Disk encryption.

az keyvault update --name "ContosoKeyVault" --resource-group "ContosoResourceGroup" --enabled-for-disk-encryption "true"

为模板部署启用 Key Vault:允许资源管理器从保管库检索机密。Enable Key Vault for template deployment: Allows Resource Manager to retrieve secrets from the vault.

 az keyvault update --name "ContosoKeyVault" --resource-group "ContosoResourceGroup" --enabled-for-template-deployment "true"

删除密钥保管库以及关联的密钥和机密Deleting the key vault and associated keys and secrets

如果不再需要 Key Vault 及其密钥或机密,可以使用 az keyvault delete 命令删除 Key Vault:If you no longer need the key vault and its keys or secrets, you can delete the key vault by using the az keyvault delete command:

az keyvault delete --name "ContosoKeyVault"

或者,可以删除整个 Azure 资源组,其中包括密钥保管库和你加入该组的任何其他资源:Or, you can delete an entire Azure resource group, which includes the key vault and any other resources that you included in that group:

az group delete --name "ContosoResourceGroup"

其他 Azure 跨平台命令行接口命令Miscellaneous Azure Cross-Platform Command-line Interface Commands

可能有助于管理 Azure Key Vault 的其他命令。Other commands that you might find useful for managing Azure Key Vault.

此命令列出以表格形式显示的所有密钥和所选属性:This command lists a tabular display of all keys and selected properties:

az keyvault key list --vault-name "ContosoKeyVault"

此命令显示特定密钥的完整属性列表:This command displays a full list of properties for the specified key:

az keyvault key show --vault-name "ContosoKeyVault" --name "ContosoFirstKey"

此命令列出以表格形式显示的所有机密名称和所选属性:This command lists a tabular display of all secret names and selected properties:

az keyvault secret list --vault-name "ContosoKeyVault"

下面是演示如何删除特定密钥的示例:Here's an example of how to remove a specific key:

az keyvault key delete --vault-name "ContosoKeyVault" --name "ContosoFirstKey"

下面是演示如何删除特定机密的示例:Here's an example of how to remove a specific secret:

az keyvault secret delete --vault-name "ContosoKeyVault" --name "SQLPassword"

后续步骤Next steps