快速入门:使用 ARM 模板在 Azure Key Vault 中设置和检索机密Quickstart: Set and retrieve a secret from Azure Key Vault using an ARM template

Azure Key Vault 是为密钥、密码、证书等机密及其他机密提供安全存储的云服务。Azure Key Vault is a cloud service that provides a secure store for secrets, such as keys, passwords, certificates, and other secrets. 本快速入门重点介绍部署 Azure 资源管理器模板(ARM 模板)以创建密钥保管库和机密的过程。This quickstart focuses on the process of deploying an Azure Resource Manager template (ARM template) to create a key vault and a secret.

ARM 模板是定义项目基础结构和配置的 JavaScript 对象表示法 (JSON) 文件。An ARM template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. 该模板使用声明性语法,使你可以声明要部署的内容,而不需要编写一系列编程命令来进行创建。The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it.

如果你的环境满足先决条件,并且你熟悉如何使用 ARM 模板,请选择“部署到 Azure”按钮。If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. Azure 门户中会打开模板。The template will open in the Azure portal.

“部署到 Azure”Deploy to Azure

先决条件Prerequisites

若要完成本文,需要做好以下准备:To complete this article:

  • 如果没有 Azure 订阅,可在开始前创建一个试用帐户If you don't have an Azure subscription, create a trial account before you begin.

  • 模板需要使用你的 Azure AD 用户对象 ID 来配置权限。Your Azure AD user object ID is needed by the template to configure permissions. 以下过程获取对象 ID (GUID)。The following procedure gets the object ID (GUID).

    1. 运行以下 Azure PowerShell 或 Azure CLI 命令。Run the following Azure PowerShell or Azure CLI command.

      echo "Enter your email address that is used to sign in to Azure:" &&
      read upn &&
      az ad user show --id $upn --query "objectId" &&
      echo "Press [ENTER] to continue ..."
      
    2. 请记下对象 ID,Write down the object ID. 本快速入门的下一部分需要使用该 ID。You need it in the next section of this quickstart.

查看模板Review the template

本快速入门中使用的模板来自 Azure 快速启动模板The template used in this quickstart is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "keyVaultName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the key vault."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Specifies the Azure location where the key vault should be created."
      }
    },
    "enabledForDeployment": {
      "type": "bool",
      "defaultValue": false,
      "allowedValues": [
        true,
        false
      ],
      "metadata": {
        "description": "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault."
      }
    },
    "enabledForDiskEncryption": {
      "type": "bool",
      "defaultValue": false,
      "allowedValues": [
        true,
        false
      ],
      "metadata": {
        "description": "Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys."
      }
    },
    "enabledForTemplateDeployment": {
      "type": "bool",
      "defaultValue": false,
      "allowedValues": [
        true,
        false
      ],
      "metadata": {
        "description": "Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault."
      }
    },
    "tenantId": {
      "type": "string",
      "defaultValue": "[subscription().tenantId]",
      "metadata": {
        "description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet."
      }
    },
    "objectId": {
      "type": "string",
      "metadata": {
        "description": "Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets."
      }
    },
    "keysPermissions": {
      "type": "array",
      "defaultValue": [
        "list"
      ],
      "metadata": {
        "description": "Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge."
      }
    },
    "secretsPermissions": {
      "type": "array",
      "defaultValue": [
        "list"
      ],
      "metadata": {
        "description": "Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge."
      }
    },
    "skuName": {
      "type": "string",
      "defaultValue": "Standard",
      "allowedValues": [
        "Standard",
        "Premium"
      ],
      "metadata": {
        "description": "Specifies whether the key vault is a standard vault or a premium vault."
      }
    },
    "secretName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the secret that you want to create."
      }
    },
    "secretValue": {
      "type": "securestring",
      "metadata": {
        "description": "Specifies the value of the secret that you want to create."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "name": "[parameters('keyVaultName')]",
      "apiVersion": "2018-02-14",
      "location": "[parameters('location')]",
      "properties": {
        "enabledForDeployment": "[parameters('enabledForDeployment')]",
        "enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
        "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
        "tenantId": "[parameters('tenantId')]",
        "accessPolicies": [
          {
            "objectId": "[parameters('objectId')]",
            "tenantId": "[parameters('tenantId')]",
            "permissions": {
              "keys": "[parameters('keysPermissions')]",
              "secrets": "[parameters('secretsPermissions')]"      
            }
          }
        ],
        "sku": {
          "name": "[parameters('skuName')]",
          "family": "A"
        },
        "networkAcls": {
          "value": {
            "defaultAction": "Allow",
            "bypass": "AzureServices"
          }
        }
      }
    },
    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "name": "[concat(parameters('keyVaultName'), '/', parameters('secretName'))]",
      "apiVersion": "2018-02-14",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
      ],
      "properties": {
        "value": "[parameters('secretValue')]"
      }
    }
  ]
}

该模板中定义了两个 Azure 资源:Two Azure resources are defined in the template:

可以在 Azure 快速入门模板中找到更多 Azure Key Vault 模板示例。More Azure Key Vault template samples can be found in Azure Quickstart Templates.

部署模板Deploy the template

  1. 选择下图登录到 Azure 并打开一个模板。Select the following image to sign in to Azure and open a template. 该模板将创建 Key Vault 和机密。The template creates a key vault and a secret.

    “部署到 Azure”Deploy to Azure

  2. 选择或输入以下值。Select or enter the following values.

    ARM 模板, Key Vault 集成, 部署门户

    除非另有指定,否则请使用默认值创建密钥保管库和机密。Unless it's specified, use the default value to create the key vault and a secret.

    • 订阅:选择一个 Azure 订阅。Subscription: select an Azure subscription.
    • 资源组:选择“新建”,输入资源组的唯一名称,然后单击“确定”。 Resource group: select Create new, enter a unique name for the resource group, and then click OK.
    • 位置:选择一个位置。Location: select a location. 例如,“中国东部 2”。For example, China East 2.
    • 密钥保管库名称:输入密钥保管库的名称,该名称在 .vault.azure.cn 命名空间中必须全局唯一。Key Vault Name: enter a name for the key vault, which must be globally unique within the .vault.azure.cn namespace. 在下一部分验证部署时,需要该名称。You need the name in the next section when you validate the deployment.
    • 租户 ID:模板函数会自动检索租户 ID。Tenant Id: the template function automatically retrieves your tenant ID. 不要更改默认值。Don't change the default value.
    • AD 用户 ID:输入在先决条件中检索到的 Azure AD 用户对象 ID。Ad User Id: enter your Azure AD user object ID that you retrieved from Prerequisites.
    • 机密名称:输入要存储在 Key Vault 中的机密的名称。Secret Name: enter a name for the secret that you store in the key vault. 例如 adminpasswordFor example, adminpassword.
    • 机密值:输入机密值。Secret Value: enter the secret value. 如果存储密码,则建议使用在“先决条件”中创建的生成密码。If you store a password, it's recommended to use the generated password you created in Prerequisites.
    • 我同意上述条款和条件:选中。I agree to the terms and conditions state above: Select.
  3. 选择“购买”。Select Purchase. 成功部署密钥保管库后,你会收到通知:After the key vault has been deployed successfully, you get a notification:

    ARM 模板, Key Vault 集成, 部署门户通知

使用 Azure 门户部署模板。The Azure portal is used to deploy the template. 除了 Azure 门户,还可以使用 Azure PowerShell、Azure CLI 和 REST API。In addition to the Azure portal, you can also use the Azure PowerShell, Azure CLI, and REST API. 若要了解其他部署方法,请参阅部署模板To learn other deployment methods, see Deploy templates.

查看已部署的资源Review deployed resources

可以使用 Azure 门户检查 Key Vault 和机密,或者使用以下 Azure CLI 或 Azure PowerShell 脚本列出创建的机密。You can either use the Azure portal to check the key vault and the secret, or use the following Azure CLI or Azure PowerShell script to list the secret created.

echo "Enter your key vault name:" &&
read keyVaultName &&
az keyvault secret list --vault-name $keyVaultName &&
echo "Press [ENTER] to continue ..."

输出如下所示:The output looks similar to:

清理资源Clean up resources

其他 Key Vault 快速入门和教程是在本快速入门的基础上制作的。Other Key Vault quickstarts and tutorials build upon this quickstart. 如果打算继续使用后续的快速入门和教程,则可能需要保留这些资源。If you plan to continue on to work with subsequent quickstarts and tutorials, you may wish to leave these resources in place. 如果不再需要资源组,可以将其删除,这将删除 Key Vault 和相关的资源。When no longer needed, delete the resource group, which deletes the Key Vault and related resources. 使用 Azure CLI 或 Azure PowerShell 删除资源组:To delete the resource group by using Azure CLI or Azure PowerShell:

echo "Enter the Resource Group name:" &&
read resourceGroupName &&
az group delete --name $resourceGroupName &&
echo "Press [ENTER] to continue ..."

后续步骤Next steps

在本快速入门中,你使用 ARM 模板创建了密钥保管库和机密,并验证了部署。In this quickstart, you created a key vault and a secret using an ARM template, and validated the deployment. 若要详细了解 Key Vault 和 Azure 资源管理器,请继续阅读以下文章。To learn more about Key Vault and Azure Resource Manager, continue on to the articles below.