您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:在你的资源管理器模板部署中集成 Azure 密钥保管库Tutorial: Integrate Azure Key Vault in your Resource Manager template deployment

了解部署 Azure 资源管理器时如何从 Azure 密钥保管库检索密钥并将密钥作为参数传递。Learn how to retrieve secrets from an Azure key vault and pass the secrets as parameters when you deploy Azure Resource Manager. 该参数值永远不会公开,因为只会引用其密钥保管库 ID。The parameter value is never exposed, because you reference only its key vault ID. 有关详细信息,请参阅在部署过程中使用 Azure 密钥保管库传递安全参数值For more information, see Use Azure Key Vault to pass secure parameter value during deployment.

设置资源部署顺序教程中,你需要创建虚拟机 (VM)。In the Set resource deployment order tutorial, you create a virtual machine (VM). 需提供 VM 管理员用户名和密码。You need to provide the VM administrator username and password. 可以不提供密码,而是将密码预先存储在 Azure 密钥保管库中,然后自定义模板,以便在部署过程中从密钥保管库检索密码。Instead of providing the password, you can pre-store the password in an Azure key vault and then customize the template to retrieve the password from the key vault during the deployment.

显示具有密钥保管库的资源管理器模板的集成的关系图

本教程涵盖以下任务:This tutorial covers the following tasks:

  • 准备 Key VaultPrepare a key vault
  • 打开快速入门模板Open a quickstart template
  • 编辑参数文件Edit the parameters file
  • 部署模板Deploy the template
  • 验证部署Validate the deployment
  • 清理资源Clean up resources

如果还没有 Azure 订阅,可以在开始前创建一个免费帐户If you don't have an Azure subscription, create a free account before you begin.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

若要完成本文,需要做好以下准备:To complete this article, you need:

准备 Key VaultPrepare a key vault

在此部分,创建一个密钥保管库,然后向该密钥保管库添加密钥,这样就可以在部署模板时检索该密钥。In this section, you create a key vault and add a secret to it, so that you can retrieve the secret when you deploy your template. 可以通过许多方法来创建密钥保管库。There are many ways to create a key vault. 在本教程中,我们使用 Azure PowerShell 来部署资源管理器模板In this tutorial, you use Azure PowerShell to deploy a Resource Manager template. 此模板执行以下操作:This template does the following:

  • 创建启用了 enabledForTemplateDeployment 属性的密钥保管库。Creates a key vault with the enabledForTemplateDeployment property enabled. 此属性必须为 true,这样模板部署过程才能访问此密钥保管库中定义的机密 。This property must be true before the template deployment process can access the secrets that are defined in the key vault.
  • 将密钥添加到密钥保管库。Adds a secret to the key vault. 该密钥存储 VM 管理员密码。The secret stores the VM administrator password.

备注

如果你(作为要部署虚拟机模板的用户)不是密钥保管库的所有者或参与者,则密钥保管库的所有者或参与者必须向你授予对密钥保管库的 Microsoft.KeyVault/vaults/deploy/action 的访问权限 。As the user who's deploying the virtual machine template, if you're not the Owner of or a Contributor to the key vault, the Owner or a Contributor must grant you access to the Microsoft.KeyVault/vaults/deploy/action permission for the key vault. 有关详细信息,请参阅在部署过程中使用 Azure 密钥保管库传递安全参数值For more information, see Use Azure Key Vault to pass a secure parameter value during deployment.

若要运行以下 Azure PowerShell 脚本,请选择“试用”以打开 Azure Cloud Shell 。To run the following Azure PowerShell script, select Try it to open Azure Cloud Shell. 若要粘贴脚本,请右键单击 shell 窗格,然后选择“粘贴” 。To paste the script, right-click the shell pane, and then select Paste.

$projectName = Read-Host -Prompt "Enter a project name that is used for generating resource names"
$location = Read-Host -Prompt "Enter the location (i.e. centralus)"
$upn = Read-Host -Prompt "Enter your user principal name (email address) used to sign in to Azure"
$secretValue = Read-Host -Prompt "Enter the virtual machine administrator password" -AsSecureString

$resourceGroupName = "${projectName}rg"
$keyVaultName = $projectName
$adUserId = (Get-AzADUser -UserPrincipalName $upn).Id
$templateUri = "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/tutorials-use-key-vault/CreateKeyVault.json"

New-AzResourceGroup -Name $resourceGroupName -Location $location
New-AzResourceGroupDeployment -ResourceGroupName $resourceGroupName -TemplateUri $templateUri -keyVaultName $keyVaultName -adUserId $adUserId -secretValue $secretValue

重要

  • 资源组名称是追加了“rg”的项目名称 。The resource group name is the project name, but with rg appended to it. 为了方便清理本教程创建的资源,请在部署下一模板时使用相同的项目名称和资源组名称。To make it easier to clean up the resources that you created in this tutorial, use the same project name and resource group name when you deploy the next template.
  • 密钥的默认名称为 vmAdminPassword 。The default name for the secret is vmAdminPassword. 该名称已在模板中硬编码。It's hardcoded in the template.
  • 必须为密钥保管库启用名为“启用对 Azure 资源管理器的访问以部署模板”的访问策略,然后模板才能检索机密。To enable the template to retrieve the secret, you must enable an access policy called "Enable access to Azure Resource Manager for template deployment" for the key vault. 在模板中启用此策略。This policy is enabled in the template. 有关此访问策略的详细信息,请参阅部署密钥保管库和机密For more information about the access policy, see Deploy key vaults and secrets.

模板有一个名为 keyVaultId 的输出值 。The template has one output value, called keyVaultId. 在部署虚拟机时,请记下 ID 值以供将来使用。Write down the ID value for later use, when you deploy the virtual machine. 资源 ID 格式为:The resource ID format is:

/subscriptions/<SubscriptionID>/resourceGroups/mykeyvaultdeploymentrg/providers/Microsoft.KeyVault/vaults/<KeyVaultName>

复制并粘贴 ID 时,此 ID 可能会拆分成多个行。When you copy and paste the ID, it might be broken into multiple lines. 合并这些行并裁剪掉额外的空格。Merge the lines and trim the extra spaces.

若要对部署进行验证,请在同一 shell 窗格中运行以下 PowerShell 命令,以明文形式检索机密。To validate the deployment, run the following PowerShell command in the same shell pane to retrieve the secret in clear text. 此命令只能在同一 shell 会话中使用,因为它使用在先前 PowerShell 脚本中定义的变量 $keyVaultName 。The command works only in the same shell session, because it uses the variable $keyVaultName, which is defined in the preceding PowerShell script.

(Get-AzKeyVaultSecret -vaultName $keyVaultName  -name "vmAdminPassword").SecretValueText

现在已准备好密钥保管库和密钥。Now you've prepared a key vault and a secret. 以下部分显示如何自定义现有模板,以便在部署过程中检索机密。The following sections show you how to customize an existing template to retrieve the secret during the deployment.

打开快速入门模板Open a quickstart template

Azure 快速入门模板是资源管理器模板的存储库。Azure Quickstart Templates is a repository for Resource Manager templates. 无需从头开始创建模板,只需找到一个示例模板并对其自定义即可。Instead of creating a template from scratch, you can find a sample template and customize it. 本教程中使用的模板称为部署简单的 Windows VMThe template that's used in this tutorial is called Deploy a simple Windows VM.

  1. 在 Visual Studio Code 中,选择“文件” > “打开文件”。 In Visual Studio Code, select File > Open File.

  2. 在“文件名”框中粘贴以下 URL: In the File name box, paste the following URL:

    https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.json
    
  3. 选择“打开”以打开该文件。 Select Open to open the file. 方案与以下教程中使用的方案相同:使用依赖的资源创建 Azure 资源管理器模板中使用的。The scenario is the same as the one that's used in Tutorial: Create Azure Resource Manager templates with dependent resources. 该模板定义五个资源:The template defines five resources:

    在自定义模板之前,不妨对其进行一些基本的了解。It's helpful to have some basic understanding of the template before you customize it.

  4. 选择“文件” > “另存为”,将该文件的副本保存到名为 azuredeploy.json 的本地计算机。 Select File > Save As, and then save a copy of the file to your local computer with the name azuredeploy.json.

  5. 重复步骤 1-3 打开以下 URL,然后将文件保存为 azuredeploy.parameters.json 。Repeat steps 1-3 to open the following URL, and then save the file as azuredeploy.parameters.json.

    https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-vm-simple-windows/azuredeploy.parameters.json
    

编辑参数文件Edit the parameters file

无需对模板文件进行任何更改。You don't need to make any changes to the template file.

  1. 在 Visual Studio Code 中打开 azuredeploy.parameters.json(如果尚未打开) 。In Visual Studio Code, open azuredeploy.parameters.json if it's not already open.

  2. adminPassword 参数更新为:Update the adminPassword parameter to:

    "adminPassword": {
        "reference": {
            "keyVault": {
            "id": "/subscriptions/<SubscriptionID>/resourceGroups/mykeyvaultdeploymentrg/providers/Microsoft.KeyVault/vaults/<KeyVaultName>"
            },
            "secretName": "vmAdminPassword"
        }
    },
    

    重要

    将“id”值替换为你在上一过程中创建的密钥保管库的资源 ID 。Replace the value for id with the resource ID of the key vault that you created in the previous procedure.

    集成密钥保管库和资源管理器模板虚拟机部署参数文件

  3. 更新以下值:Update the following values:

    • adminUsername :虚拟机管理员帐户的名称。adminUsername: The name of the virtual machine administrator account.
    • dnsLabelPrefix :为 dnsLabelPrefix 值命名。dnsLabelPrefix: Name the dnsLabelPrefix value.

    有关名称的示例,请参阅前面的图像。For examples of names, see the preceding image.

  4. 保存更改。Save the changes.

部署模板Deploy the template

按照部署模板中的说明执行操作。Follow the instructions in Deploy the template. 将 azuredeploy.json 和 azuredeploy.parameters.json 上传到 Cloud Shell,然后使用以下 PowerShell 脚本部署模板 :Upload both azuredeploy.json and azuredeploy.parameters.json to Cloud Shell, and then use the following PowerShell script to deploy the template:

$projectName = Read-Host -Prompt "Enter the same project name that is used for creating the key vault"
$location = Read-Host -Prompt "Enter the same location that is used for creating the key vault (i.e. centralus)"
$resourceGroupName = "${projectName}rg"

New-AzResourceGroupDeployment `
    -ResourceGroupName $resourceGroupName `
    -TemplateFile "$HOME/azuredeploy.json" `
    -TemplateParameterFile "$HOME/azuredeploy.parameters.json"

部署模板时,请使用密钥保管库中使用的同一资源组。When you deploy the template, use the same resource group that you used in the key vault. 此方法使你更轻松地清理资源,因为你需要仅删除一个资源组,而不是两个资源组。This approach makes it easier for you to clean up the resources, because you need to delete only one resource group instead of two.

验证部署Validate the deployment

成功部署虚拟机后,使用密钥保管库中存储的密码来测试登录凭据。After you've successfully deployed the virtual machine, test the sign-in credentials by using the password that's stored in the key vault.

  1. 打开 Azure 门户Open the Azure portal.

  2. 选择“资源组” > <YourResourceGroupName> > simpleWinVM 。Select Resource groups > <YourResourceGroupName> > simpleWinVM.

  3. 选择顶部的“连接” 。Select connect at the top.

  4. 选择“下载 RDP 文件”,然后遵照说明使用密钥保管库中存储的密码登录到虚拟机 。Select Download RDP File, and then follow the instructions to sign in to the virtual machine by using the password that's stored in the key vault.

清理资源Clean up resources

不再需要 Azure 资源时,请通过删除资源组来清理已部署的资源。When you no longer need your Azure resources, clean up the resources that you deployed by deleting the resource group.

$projectName = Read-Host -Prompt "Enter the same project name that is used for creating the key vault"
$resourceGroupName = "${projectName}rg"

Remove-AzResourceGroup -Name $resourceGroupName

后续步骤Next steps

在本教程中,你已从 Azure 密钥保管库检索了一个密钥。In this tutorial, you retrieved a secret from your Azure key vault. 你然后使用模板部署中的密钥。You then used the secret in your template deployment. 若要了解如何创建链接模板,请参阅:To learn how to create linked templates, see: