从索引和同义词映射获取客户管理的密钥信息Get customer-managed key information from indexes and synonym maps

在 Azure 认知搜索中,需在 Azure Key Vault 中创建、存储和管理客户管理的加密密钥。In Azure Cognitive Search, customer-managed encryption keys are created, stored, and managed in Azure Key Vault. 如果需要确定对象是否加密,或者要确定使用的密钥名称或版本,请使用 REST API 或 SDK 从索引或同义词映射定义中检索 encryptionKey 属性。If you need to determine whether an object is encrypted, or what key name or version was used, use the REST API or an SDK to retrieve the encryptionKey property from an index or synonym map definition.

建议在 Key Vault 上启用日志记录,以便监视密钥使用情况。We recommend that you enable logging on Key Vault so that you can monitor key usage.

获取管理 API 密钥Get the admin API key

若要从搜索服务获取对象定义,你需要使用管理员权限进行身份验证。To get object definitions from a search service, you will need to authenticate with admin rights. 获取管理 API 密钥的最简单的方法是通过门户获取。The easiest way to get the admin API key is through the portal.

  1. 登录到 Azure 门户,然后打开搜索服务概览页面。Sign in to the Azure portal and open the search service overview page.

  2. 在左侧,单击“密钥”并复制管理 API。On the left side, click Keys and copy an admin API. 索引和同义词映射检索需要使用管理密钥。An admin key is required for index and synonym map retrieval.

为完成剩余步骤,请切换到 PowerShell 和 REST API。For the remaining steps, switch to PowerShell and the REST API. 门户不显示同义词映射,也不显示索引的加密密钥属性。The portal does not show synonym maps, nor the encryption key properties of indexes.

使用 PowerShell 和 RESTUse PowerShell and REST

运行以下命令以设置变量和获取对象定义。Run the following commands to set up the variables and get object definitions.

<# Connect to Azure #>
$Connect-AzAccount

<# Provide the admin API key used for search service authentication  #>
$headers = @{
'api-key' = '<YOUR-ADMIN-API-KEY>'
'Content-Type' = 'application/json'
'Accept' = 'application/json' }

<# List all existing synonym maps #>
$uri= 'https://<YOUR-SEARCH-SERVICE>.search.azure.cn/synonyms?api-version=2020-06-30&$select=name'
Invoke-RestMethod -Uri $uri -Headers $headers | ConvertTo-Json

<# List all existing indexes #>
$uri= 'https://<YOUR-SEARCH-SERVICE>.search.azure.cn/indexes?api-version=2020-06-30&$select=name'
Invoke-RestMethod -Uri $uri -Headers $headers | ConvertTo-Json

<# Return a specific synonym map definition. The encryptionKey property is at the end #>
$uri= 'https://<YOUR-SEARCH-SERVICE>.search.azure.cn/synonyms/<YOUR-SYNONYM-MAP-NAME>?api-version=2020-06-30'
Invoke-RestMethod -Uri $uri -Headers $headers | ConvertTo-Json

<# Return a specific index definition. The encryptionKey property is at the end #>
$uri= 'https://<YOUR-SEARCH-SERVICE>.search.azure.cn/indexes/<YOUR-INDEX-NAME>?api-version=2020-06-30'
Invoke-RestMethod -Uri $uri -Headers $headers | ConvertTo-Json

后续步骤Next steps

现在你了解了所使用的加密密钥和版本,可以在 Azure Key Vault 中管理密钥,或查看其他配置设置。Now that you know which encryption key and version is used, you can manage the key in Azure Key Vault or check other configuration settings.