快速入门:使用 ARM 模板(预览版)创建 Azure 密钥保管库和密钥Quickstart: Create an Azure key vault and a key by using ARM template (Preview)

Azure Key Vault 是为密钥、密码、证书等机密及其他机密提供安全存储的云服务。Azure Key Vault is a cloud service that provides a secure store for secrets, such as keys, passwords, certificates, and other secrets. 本快速入门重点介绍部署 Azure 资源管理器模板(ARM 模板)以创建密钥保管库和密钥的过程。This quickstart focuses on the process of deploying an Azure Resource Manager template (ARM template) to create a key vault and a key.

先决条件Prerequisites

若要完成本文,需要做好以下准备:To complete this article:

  • 如果没有 Azure 订阅,请在开始之前创建一个免费帐户If you don't have an Azure subscription, create a free account before you begin.

  • 模板需要使用你的 Azure AD 用户对象 ID 来配置权限。Your Azure AD user object ID is needed by the template to configure permissions. 以下过程获取对象 ID (GUID)。The following procedure gets the object ID (GUID).

    1. 运行以下 Azure PowerShell 或 Azure CLI。Run the following Azure PowerShell or Azure CLI. 若要粘贴脚本,请右键单击 shell,然后选择“粘贴”。To paste the script, right-click the shell, and then select Paste.

      echo "Enter your email address that is used to sign in to Azure:" &&
      read upn &&
      az ad user show --id $upn --query "objectId" &&
      echo "Press [ENTER] to continue ..."
      
    2. 请记下对象 ID,Write down the object ID. 本快速入门的下一部分需要使用该 ID。You need it in the next section of this quickstart.

查看模板Review the template

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "vaultName": {
      "type": "string",
      "metadata": {
        "description": "The name of the key vault to be created."
      }
    },
    "skuName": {
      "type": "string",
      "defaultValue": "Standard",
      "allowedValues": [
        "Standard",
        "Premium"
      ],
      "metadata": {
        "description": "The SKU of the vault to be created."
      }
    },
    "keyName": {
      "type": "string",
      "metadata": {
        "description": "The name of the key to be created."
      }
    },
    "keyType": {
      "type": "string",
      "metadata": {
        "description": "The JsonWebKeyType of the key to be created."
      }
    },
    "keyOps": {
      "type": "array",
      "defaultValue": [],
      "metadata": {
        "description": "The permitted JSON web key operations of the key to be created."
      }
    },
    "keySize": {
      "type": "int",
      "defaultValue": -1,
      "metadata": {
        "description": "The size in bits of the key to be created."
      }
    },
    "curveName": {
      "type": "string",
      "defaultValue": "",
      "metadata": {
        "description": "The JsonWebKeyCurveName of the key to be created."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2019-09-01",
      "name": "[parameters('vaultName')]",
      "location": "[resourceGroup().location]",
      "properties": {
        "enableRbacAuthorization": false,
        "enableSoftDelete": false,
        "enabledForDeployment": false,
        "enabledForDiskEncryption": false,
        "enabledForTemplateDeployment": false,
        "tenantId": "[subscription().tenantId]",
        "accessPolicies": [],
        "sku": {
          "name": "[parameters('skuName')]",
          "family": "A"
        },
        "networkAcls": {
          "defaultAction": "Allow",
          "bypass": "AzureServices"
        }
      }
    },
    {
      "type": "Microsoft.KeyVault/vaults/keys",
      "apiVersion": "2019-09-01",
      "name": "[concat(parameters('vaultName'), '/', parameters('keyName'))]",
      "location": "[resourceGroup().location]",
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', parameters('vaultName'))]"
      ],
      "properties": {
        "kty": "[parameters('keyType')]",
        "keyOps": "[parameters('keyOps')]",
        "keySize": "[if(equals(parameters('keySize'), -1), json('null'), parameters('keySize'))]",
        "curveName": "[parameters('curveName')]"
      }
    }
  ],
  "outputs": {
    "proxyKey": {
      "type": "object",
      "value": "[reference(resourceId('Microsoft.KeyVault/vaults/keys', parameters('vaultName'), parameters('keyName')))]"
    }
  }
}

该模板中定义了以下两个资源:Two resources are defined in the template:

可以在 Azure 快速入门模板中找到更多 Azure Key Vault 模板示例。More Azure Key Vault template samples can be found in Azure Quickstart Templates.

查看已部署的资源Review deployed resources

你可以使用 Azure 门户检查密钥保管库和密钥,或者使用以下 Azure CLI 或 Azure PowerShell 脚本列出创建的密钥。You can either use the Azure portal to check the key vault and the key, or use the following Azure CLI or Azure PowerShell script to list the key created.

echo "Enter your key vault name:" &&
read keyVaultName &&
az keyvault key list --vault-name $keyVaultName &&
echo "Press [ENTER] to continue ..."