教程:将客户管理的密钥或 BYOK 与媒体服务 REST API 配合使用Tutorial: Use customer-managed keys or BYOK with Media Services REST API

借助 2020-05-01 API,可以将客户管理的 RSA 密钥与具有系统托管标识的 Azure 媒体服务帐户配合使用。本教程包括用于将 REST 请求发送到 Azure 服务的 Postman 集合和环境。With the 2020-05-01 API, you can use a customer-managed RSA key with an Azure Media Services account that has a system-managed identity.This tutorial includes a Postman collection and environment to send REST requests to Azure services. 使用的服务是:The services used are:

  • Postman 的 Azure Active Directory (Azure AD) 应用程序注册Azure Active Directory (Azure AD) application registration for Postman
  • Microsoft Graph APIMicrosoft Graph API
  • Azure 存储Azure Storage
  • Azure Key VaultAzure Key Vault
  • Azure 媒体服务Azure Media Services

本教程将介绍如何使用 Postman 完成以下操作:In this tutorial, you'll learn to use Postman to:

  • 获取用于 Azure 服务的令牌。Get tokens for use with Azure services.
  • 创建资源组和存储帐户。Create a resource group and a storage account.
  • 创建包含系统托管标识的媒体服务帐户。Create a Media Services account with a system-managed identity.
  • 创建用于存储客户管理的 RSA 密钥的密钥保管库。Create a key vault for storing a customer-managed RSA key.
  • 更新媒体服务帐户,以将 RSA 密钥与存储帐户配合使用。Update the Media Services account to use the RSA key with the storage account.
  • 在 Postman 中使用变量。Use variables in Postman.

如果没有 Azure 订阅,请创建一个试用帐户If you don't have an Azure subscription, create a trial account.

先决条件Prerequisites

  1. 注册具有适当权限的服务主体。Register a service principal with the appropriate permissions.
  2. 安装 PostmanInstall Postman.
  3. 通过 Azure 示例:media-services-customer-managed-keys-byok 为本教程下载 Postman 集合。Download the Postman collection for this tutorial at Azure Samples: media-services-customer-managed-keys-byok.

注册具有所需权限的服务主体Register a service principal with the needed permissions

  1. 创建服务主体Create a service principal.

  2. 转到选项 2:创建新的应用程序机密以获取服务主体机密。Go to Option 2: Create a new application secret to get the service principal secret.

    重要

    复制并保存机密以供之后使用。Copy and save the secret for later use. 离开门户中的机密页面后,将无法访问该机密。You can't access the secret after you leave the secret page in the portal.

  3. 将权限分配给服务主体,如以下屏幕截图所示:Assign permissions to the service principal, as shown in the following screenshot:

    显示服务主体所需的权限的屏幕截图。

    权限按服务、权限名称、类型和说明列出。Permissions are listed by service, permission name, type, and then description. Azure Key Vault:用户模拟、委派、完全访问 Azure Key Vault。Azure Key Vault: user impersonation, delegated, full access to Azure Key Vault. Azure 服务管理:用户模拟、委派、以组织用户身份访问 Azure 服务管理。Azure Service Management: user impersonation, delegated, access Azure Service Management as organization user. Azure 存储:用户模拟、委派、访问 Azure 存储。Azure Storage: user impersonation, delegated, access Azure Storage. 媒体服务:用户模拟、委派、访问媒体服务。Media services: user impersonation, delegated, access media services. Microsoft Graph:user.read、委派、登录和读取用户配置文件。Microsoft Graph: user.read, delegated, sign in and read user profile.

安装 PostmanInstall Postman

如果尚未安装 Postman 以与 Azure 配合使用,可通过 postman.com 来获取它。If you haven't already installed Postman for use with Azure, you can get it at postman.com.

下载并导入集合Download and import the collection

通过 Azure 示例:media-services-customer-managed-keys-byok 为本教程下载 Postman 集合。Download the Postman collection for this tutorial at Azure Samples: media-services-customer-managed-keys-byok.

安装 Postman 集合和环境Install the Postman collection and environment

  1. 运行 Postman。Run Postman.
  2. 选择“导入”。Select Import.
  3. 选择“上传文件”。Select Upload files.
  4. 转到集合和环境文件的保存位置。Go to where you saved the collection and environment files.
  5. 选择集合和环境文件。Select the collection and environment files.
  6. 选择“打开” 。Select Open. 将出现一条警告,指出不会将文件作为 API 导入,而是作为集合导入。A warning appears that says the files won't be imported as an API, but as collections. 出现此警告属于正常现象。This warning is fine. 这正是你所希望的情况。It's what you want.

此集合现在以 BYOK 的形式显示在集合中。The collection now shows in your collections as BYOK. 此外,环境变量将显示在环境中。Also, the environment variables appear in your environments.

了解集合中的 REST API 请求Understand the REST API requests in the collection

集合提供以下 REST API 请求。The collection provides the following REST API requests.

备注

  • 请求必须按提供的顺序发送。The requests must be sent in the sequence provided.
  • 大多数请求都有测试脚本,这些脚本可动态地为序列中的下一个请求创建全局变量。Most requests have test scripts that dynamically create global variables for the next request in the sequence.
  • 无需手动创建全局变量。You don't need to manually create global variables.

在 Postman 中,这些变量包含在括号中。In Postman, you'll see these variables contained within brackets. 例如 {{bearerToken}}For example, {{bearerToken}}.

  1. 获取 Azure AD 令牌:测试设置全局变量 bearerToken。Get an Azure AD token: The test sets the global variable bearerToken.
  2. 获取 Microsoft Graph 令牌:测试设置全局变量 graphToken。Get a Microsoft Graph token: The test sets the global variable graphToken.
  3. 获取服务主体详细信息:测试设置全局变量 servicePrincipalObjectId。Get service principal details: The test sets the global variable servicePrincipalObjectId.
  4. 创建存储帐户:测试设置全局变量 storageAccountId。Create a storage account: The test sets the global variable storageAccountId.
  5. 创建包含系统托管标识的媒体服务帐户:测试设置全局变量 principalId。Create a Media Services account with a system-managed identity: The test sets the global variable principalId.
  6. 创建一个密钥保管库,以向服务主体授予访问权限:测试设置全局变量 keyVaultId。Create a key vault to grant access to the service principal: The test sets the global variable keyVaultId.
  7. 获取 Key Vault 令牌:测试设置全局变量 keyVaultToken。Get a Key Vault token: The test sets the global variable keyVaultToken.
  8. 在密钥保管库中创建 RSA 密钥:测试设置全局变量 keyId。Create the RSA key in the key vault: The test sets the global variable keyId.
  9. 更新媒体服务帐户,以将密钥与存储帐户配合使用:没有适用于此请求的测试脚本。Update the Media Services account to use the key with the storage account: There's no test script for this request.

定义环境变量Define environment variables

  1. 选择环境的下拉列表以切换到下载的环境。Select the environment's drop-down list to switch to the environment you downloaded.

  2. 在 Postman 中建立环境变量。Establish your environment variables in Postman. 它们还用作括号中包含的变量。They're also used as variables contained within brackets. 例如 {{tenantId}}For example, {{tenantId}}.

    • tenantId:租户 ID。tenantId: Your tenant ID.
    • servicePrincipalId:使用你最喜欢的方法(如门户或 CLI)建立的服务主体的 ID。servicePrincipalId: The ID of the service principal you establish with your favorite method, such as portal or CLI.
    • servicePrincipalSecret:为服务主体创建的机密。servicePrincipalSecret: The secret created for the service principal.
    • 订阅:订阅 ID。subscription: Your subscription ID.
    • storageName:要为你的存储提供的名称。storageName: The name you want to give to your storage.
    • accountName:要使用的媒体服务帐户名称。accountName: The Media Services account name you want to use.
    • keyVaultName:要使用的密钥保管库名称。keyVaultName: The key vault name you want to use.
    • resourceLocation:要放置资源的位置。resourceLocation: The location where you want to put your resources.
    • resourceGroup:资源组名称。resourceGroup: The resource group name.

    以下变量是用于 Azure 资源的标准变量。The following variables are standard for working with Azure resources. 因此无需更改它们。So, there's no need to change them.

    • armResource:https://management.core.chinacloudapi.cnarmResource: https://management.core.chinacloudapi.cn
    • graphResource:https://graph.chinacloudapi.cn/graphResource: https://graph.chinacloudapi.cn/
    • keyVaultResource:https://vault.azure.cnkeyVaultResource: https://vault.azure.cn
    • armEndpoint:management.chinacloudapi.cnarmEndpoint: management.chinacloudapi.cn
    • graphEndpoint:graph.chinacloudapi.cngraphEndpoint: graph.chinacloudapi.cn
    • aadEndpoint:login.partner.microsoftonline.cnaadEndpoint: login.partner.microsoftonline.cn
    • keyVaultDomainSuffix:vault.azure.cnkeyVaultDomainSuffix: vault.azure.cn

发送请求Send the requests

定义环境变量后,可以在上一个序列中一次运行一个请求。After you define your environment variables, you can run the requests one at a time in the previous sequence. 也可以使用 Postman 的运行程序来运行集合。Or, you can use Postman's runner to run the collection.

更改密钥Change the key

媒体服务自动检测密钥何时发生了更改。Media Services automatically detects when the key is changed. 请为同一密钥创建另一个密钥版本来对此进程进行测试。Create another key version for the same key to test this process. 媒体服务应会在 15 分钟内检测到此密钥。Media Services should detect the key in less than 15 minutes.

清理资源Clean up resources

如果不打算继续使用所创建的资源,并且不想继续付费,请删除这些资源。If you're not going to continue to use the resources that you created and you don't want to continue to be billed, delete them.

后续步骤Next steps

转到下一篇文章,了解如何:Go to the next article to learn how to: