如何使用 Azure CLI 为虚拟机设置 Key VaultHow to set up Key Vault for virtual machines with the Azure CLI

在 Azure Resource Manager 堆栈中,密码/证书被建模为 Key Vault 所提供的资源。In the Azure Resource Manager stack, secrets/certificates are modeled as resources that are provided by Key Vault. 若要了解有关 Azure 密钥保管库的详细信息,请参阅什么是 Azure 密钥保管库?To learn more about Azure Key Vault, see What is Azure Key Vault? 为了让 Key Vault 能与 Azure Resource Manager VM 搭配使用,必须将 Key Vault 上的 EnabledForDeployment 属性设置为 true。In order for Key Vault to be used with Azure Resource Manager VMs, the EnabledForDeployment property on Key Vault must be set to true. 本文说明如何通过 Azure CLI 设置用于 Azure 虚拟机 (VM) 的 Key Vault。This article shows you how to set up Key Vault for use with Azure virtual machines (VMs) using the Azure CLI.

若要执行这些步骤,需要安装最新的 Azure CLI,并使用 az login 登录到 Azure 帐户。To perform these steps, you need the latest Azure CLI installed and logged in to an Azure account using az login.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

创建密钥保管库Create a Key Vault

使用 az keyvault create 创建密钥保管库并分配部署策略。Create a key vault and assign the deployment policy with az keyvault create. 以下示例在 myResourceGroup 资源组中创建名为 myKeyVault 的密钥保管库:The following example creates a key vault named myKeyVault in the myResourceGroup resource group:

az keyvault create -l chinanorth -n myKeyVault -g myResourceGroup --enabled-for-deployment true

更新用于 VM 的 Key VaultUpdate a Key Vault for use with VMs

使用 az keyvault update 在现有的密钥保管库上设置部署策略。Set the deployment policy on an existing key vault with az keyvault update. 以下命令在 myResourceGroup 资源组中更新名为 myKeyVault 的密钥保管库:The following updates the key vault named myKeyVault in the myResourceGroup resource group:

az keyvault update -n myKeyVault -g myResourceGroup --set properties.enabledForDeployment=true

使用模板设置密钥保管库Use templates to set up Key Vault

使用模板时,必须将 Key Vault 资源的 enabledForDeployment 属性设置为 true,如下所示:When you use a template, you need to set the enabledForDeployment property to true for the Key Vault resource as follows:

{
    "type": "Microsoft.KeyVault/vaults",
    "name": "ContosoKeyVault",
    "apiVersion": "2015-06-01",
    "location": "<location-of-key-vault>",
    "properties": {
    "enabledForDeployment": "true",
    ....
    ....
    }
}

后续步骤Next steps

有关使用模板创建 Key Vault 时可以配置的其他选项,请参阅创建密钥保管库For other options that you can configure when you create a Key Vault by using templates, see Create a key vault.