使用 Key Vault 和 Azure CLI 管理存储帐户密钥Manage storage account keys with Key Vault and the Azure CLI

Azure 存储帐户使用由帐户名和密钥构成的凭据。An Azure storage account uses credentials comprising an account name and a key. 密钥是自动生成的,充当密码而不是加密密钥。The key is auto-generated and serves as a password, rather than an as a cryptographic key. Key Vault 通过在存储帐户中定期重新生成存储帐户密钥来管理存储帐户密钥,并提供共享访问签名令牌,以便对存储帐户中的资源进行委托访问。Key Vault manages storage account keys by periodically regenerating them in storage account and provides shared access signature tokens for delegated access to resources in your storage account.

可以使用 Key Vault 托管的存储帐户密钥功能列出(同步) Azure 存储帐户中的密钥,并定期重新生成(轮换)密钥。You can use the Key Vault managed storage account key feature to list (sync) keys with an Azure storage account, and regenerate (rotate) the keys periodically. 可以管理存储帐户和经典存储帐户的密钥。You can manage keys for both storage accounts and Classic storage accounts.

使用托管的存储帐户密钥功能时,请注意以下要点:When you use the managed storage account key feature, consider the following points:

  • 响应调用方时永远不会返回密钥值。Key values are never returned in response to a caller.
  • 只有 Key Vault 能够管理存储帐户密钥。Only Key Vault should manage your storage account keys. 不要自行管理密钥,并避免干扰 Key Vault 进程。Don't manage the keys yourself and avoid interfering with Key Vault processes.
  • 只有单个 Key Vault 对象能够管理存储帐户密钥。Only a single Key Vault object should manage storage account keys. 不要允许从多个对象进行密钥管理。Don't allow key management from multiple objects.
  • 可以请求 Key Vault 使用用户主体(而不要使用服务主体)管理存储帐户。You can request Key Vault to manage your storage account with a user principal, but not with a service principal.
  • 只使用 Key Vault 重新生成密钥。Regenerate keys by using Key Vault only. 不要手动重新生成存储帐户密钥。Don't manually regenerate your storage account keys.

我们建议使用 Azure 存储与 Azure Active Directory (Azure AD) 的集成,这是 Microsoft 推出的基于云的标识和访问管理服务。We recommend using Azure Storage integration with Azure Active Directory (Azure AD), Microsoft's cloud-based identity and access management service. Azure AD 集成适用于 Azure Blob 和队列,提供对 Azure 存储的基于 OAuth2 令牌的访问(类似于 Azure Key Vault)。Azure AD integration is available for Azure blobs and queues, and provides OAuth2 token-based access to Azure Storage (just like Azure Key Vault).

Azure AD 允许使用应用程序标识或用户标识(而不是存储帐户凭据)对客户端应用程序进行身份验证。Azure AD allows you to authenticate your client application by using an application or user identity, instead of storage account credentials. 在 Azure 上运行时,可以使用 Azure AD 托管标识You can use an Azure AD managed identity when you run on Azure. 托管标识消除了客户端身份验证的需要,并可以在应用程序中存储凭据,或者将凭据与应用程序一同存储。Managed identities remove the need for client authentication and storing credentials in or with your application.

Azure AD 使用同样受 Key Vault 支持的基于角色的访问控制 (RBAC) 来管理授权。Azure AD uses role-based access control (RBAC) to manage authorization, which is also supported by Key Vault.

服务主体应用程序 IDService principal application ID

Azure AD 租户为每个已注册的应用程序提供服务主体An Azure AD tenant provides each registered application with a service principal. 该服务主体充当应用程序 ID,通过 RBAC 设置访问其他 Azure 资源的授权期间,将使用它。The service principal serves as the Application ID, which is used during authorization setup for access to other Azure resources via RBAC.

Key Vault 是已在所有 Azure AD 租户中预先注册的 Microsoft 应用程序。Key Vault is a Microsoft application that's pre-registered in all Azure AD tenants. Key Vault 注册到每个 Azure 云中的同一个应用程序 ID 下。Key Vault is registered under the same Application ID in each Azure cloud.

租户Tenants Cloud 应用程序 IDApplication ID
其他Other 任意Any cfa8b339-82a2-471a-a3c9-0fc0be7a4093

先决条件Prerequisites

若要完成本指南,必须先执行以下操作:To complete this guide, you must first do the following:

管理存储帐户密钥Manage storage account keys

连接到 Azure 帐户Connect to your Azure account

使用 az login 命令对 Azure CLI 会话进行身份验证。Authenticate your Azure CLI session using the az login commands.

az cloud set -n AzureChinaCloud
az login

向 Key Vault 授予对你的存储帐户的访问权限Give Key Vault access to your storage account

使用 Azure CLI az role assignment create 命令授予 Key Vault 访问你的存储帐户的权限。Use the Azure CLI az role assignment create command to give Key Vault access your storage account. 为该命令提供以下参数值:Provide the command the following parameter values:

  • --role:传递“存储帐户密钥操作员服务角色”Azure 角色。--role: Pass the "Storage Account Key Operator Service Role" Azure role. 此角色将访问范围限制为你的存储帐户。This role limits the access scope to your storage account. 对于经典存储帐户,请改为传递“经典存储帐户密钥操作员服务角色”。For a classic storage account, pass "Classic Storage Account Key Operator Service Role" instead.
  • --assignee-object-id:传递值“2330fcd0-aceb-49c4-a58f-27980b31efc5”,即 Azure 中国云中 Key Vault 的对象 ID。--assignee-object-id: Pass the value "2330fcd0-aceb-49c4-a58f-27980b31efc5", which is the Object ID for Key Vault in the Azure china cloud.
  • --scope:传递格式为 /subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName> 的存储帐户资源 ID。--scope: Pass your storage account resource ID, which is in the form /subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>. 若要查找订阅 ID,请使用 Azure CLI az account list 命令;若要查找存储帐户名称和存储帐户资源组,请使用 Azure CLI az storage account list 命令。To find your subscription ID, use the Azure CLI az account list command; to find your storage account name and storage account resource group, use the Azure CLI az storage account list command.
az role assignment create --role "Storage Account Key Operator Service Role" --assignee-object-id 2330fcd0-aceb-49c4-a58f-27980b31efc5 --scope "/subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>"

向托管存储帐户授予用户帐户权限Give your user account permission to managed storage accounts

使用 Azure CLI az keyvault-set-policy cmdlet 更新 Key Vault 访问策略,并向用户帐户授予存储帐户权限。Use the Azure CLI az keyvault-set-policy cmdlet to update the Key Vault access policy and grant storage account permissions to your user account.

# Give your user principal access to all storage account permissions, on your Key Vault instance

az keyvault set-policy --name <YourKeyVaultName> --upn user@domain.com --storage-permissions get list delete set update regeneratekey getsas listsas deletesas setsas recover backup restore purge

请注意,Azure 门户中存储帐户的“访问策略”页不会显示存储帐户的权限。Note that permissions for storage accounts aren't available on the storage account "Access policies" page in the Azure portal.

创建 Key Vault 托管存储帐户Create a Key Vault Managed storage account

使用 Azure CLI az keyvault storage 命令创建 Key Vault 托管的存储帐户。Create a Key Vault managed storage account using the Azure CLI az keyvault storage command. 将重新生成周期设置为 90 天。Set a regeneration period of 90 days. 90 天后,Key Vault 将重新生成 key1,并将活动密钥从 key2 交换为 key1After 90 days, Key Vault regenerates key1 and swaps the active key from key2 to key1. 然后,key1 将标记为活动密钥。key1 is then marked as the active key. 为该命令提供以下参数值:Provide the command the following parameter values:

  • --vault-name:传递 Key Vault 的名称。--vault-name: Pass the name of your key vault. 若要查找 Key Vault 的名称,请使用 Azure CLI az keyvault list 命令。To find the name of your key vault, use the Azure CLI az keyvault list command.
  • -n:传递你的存储帐户的名称。-n: Pass the name of your storage account. 若要查找存储帐户的名称,请使用 Azure CLI az storage account list 命令。To find the name of your storage account, use the Azure CLI az storage account list command.
  • --resource-id:传递格式为 /subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName> 的存储帐户资源 ID。--resource-id: Pass your storage account resource ID, which is in the form /subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>. 若要查找订阅 ID,请使用 Azure CLI az account list 命令;若要查找存储帐户名称和存储帐户资源组,请使用 Azure CLI az storage account list 命令。To find your subscription ID, use the Azure CLI az account list command; to find your storage account name and storage account resource group, use the Azure CLI az storage account list command.
az keyvault storage add --vault-name <YourKeyVaultName> -n <YourStorageAccountName> --active-key-name key1 --auto-regenerate-key --regeneration-period P90D --resource-id "/subscriptions/<subscriptionID>/resourceGroups/<StorageAccountResourceGroupName>/providers/Microsoft.Storage/storageAccounts/<YourStorageAccountName>"

共享访问签名令牌Shared access signature tokens

也可以要求 Key Vault 生成共享访问签名令牌。You can also ask Key Vault to generate shared access signature tokens. 共享访问签名对存储帐户中的资源提供委托访问。A shared access signature provides delegated access to resources in your storage account. 可以授予客户端访问存储帐户中的资源的权限,而无需共享帐户密钥。You can grant clients access to resources in your storage account without sharing your account keys. 使用共享访问签名可以安全共享存储资源,而不会透露帐户密钥。A shared access signature provides you with a secure way to share your storage resources without compromising your account keys.

本部分所述的命令将完成以下操作:The commands in this section complete the following actions:

  • 设置帐户共享访问签名定义 <YourSASDefinitionName>Set an account shared access signature definition <YourSASDefinitionName>. 该定义是在 Key Vault <YourKeyVaultName> 中的 Key Vault 托管存储帐户 <YourStorageAccountName> 上设置的。The definition is set on a Key Vault managed storage account <YourStorageAccountName> in your key vault <YourKeyVaultName>.
  • 为 Blob、文件、表和队列服务创建帐户共享访问签名令牌。Create an account shared access signature token for Blob, File, Table, and Queue services. 为“服务”、“容器”和“对象”资源类型创建令牌。The token is created for resource types Service, Container, and Object. 创建的令牌拥有所有权限、通过 HTTPS 访问并指定了开始和结束日期。The token is created with all permissions, over https, and with the specified start and end dates.
  • 在保管库中设置 Key Vault 托管的存储共享访问签名定义。Set a Key Vault managed storage shared access signature definition in the vault. 该定义包含创建的共享访问签名令牌的模板 URI。The definition has the template URI of the shared access signature token that was created. 该定义使用共享访问签名类型 account,有效期为 N 天。The definition has the shared access signature type account and is valid for N days.
  • 验证共享访问签名是否已作为机密保存在 Key Vault 中。Verify that the shared access signature was saved in your key vault as a secret.

创建共享访问签名令牌Create a shared access signature token

使用 Azure CLI az storage account generate-sas 命令创建共享访问签名定义。Create a shared access signature definition using the Azure CLI az storage account generate-sas command. 此操作需要 storagesetsas 权限。This operation requires the storage and setsas permissions.

az storage account generate-sas --expiry 2020-01-01 --permissions rw --resource-types sco --services bfqt --https-only --account-name <YourStorageAccountName> --account-key 00000000

操作成功运行后,复制输出。After the operation runs successfully, copy the output.

"se=2020-01-01&sp=***"

此输出将在下一步骤中传递给 --template-id 参数。This output will be the passed to the --template-id parameter in the next step.

生成共享访问签名定义Generate a shared access signature definition

使用 Azure CLI az keyvault storage sas-definition create 命令并将上一步骤的输出传递给 --template-id 参数,以创建共享访问签名定义。Use the the Azure CLI az keyvault storage sas-definition create command, passing the output from the previous step to the --template-id parameter, to create a shared access signature definition. 可将所选的名称提供给 -n 参数。You can provide the name of your choice to the -n parameter.

az keyvault storage sas-definition create --vault-name <YourKeyVaultName> --account-name <YourStorageAccountName> -n <YourSASDefinitionName> --validity-period P2D --sas-type account --template-uri <OutputOfSasTokenCreationStep>

验证共享访问签名定义Verify the shared access signature definition

可以使用 Azure CLI az keyvault secret listaz keyvault secret show 命令验证共享访问签名定义是否已存储在 Key Vault 中。You can verify that the shared access signature definition has been stored in your key vault using the Azure CLI az keyvault secret list and az keyvault secret show commands.

首先,使用 az keyvault secret list 命令查找 Key Vault 中的共享访问签名定义。First, find the shared access signature definition in your key vault using the az keyvault secret list command.

az keyvault secret list --vault-name <YourKeyVaultName>

对应于 SAS 定义的机密包含以下属性:The secret corresponding to your SAS definition will have these properties:

    "contentType": "application/vnd.ms-sastoken-storage",
    "id": "https://<YourKeyVaultName>.vault.azure.cn/secrets/<YourStorageAccountName>-<YourSASDefinitionName>",

现在,可以使用 az keyvault secret show 命令和 id 属性查看该机密的内容。You can now use the az keyvault secret show command and the id property to view the content of that secret.

az keyvault secret show --vault-name <YourKeyVaultName> --id <SasDefinitionID>

此命令的输出会将 SAS 定义字符串显示为 valueThe output of this command will show your SAS definition string asvalue.

后续步骤Next steps