您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

通过 Azure 事件网格接收和响应 Key Vault 通知Receive and respond to key vault notifications with Azure Event Grid

通过将 Azure Key Vault 与 Azure 事件网格集成,用户可以在 Key Vault 中存储的机密的状态发生更改时收到通知。Azure Key Vault integration with Azure Event Grid enables user notification when the status of a secret stored in a key vault has changed. 有关该功能的概述,请参阅通过事件网格监视 Key VaultFor an overview of this feature, see Monitoring Key Vault with Event Grid.

本指南描述如何通过事件网格接收 Key Vault 通知,以及如何通过 Azure 自动化对状态更改做出响应。This guide describes how to receive Key Vault notifications through Event Grid, and how to respond to status changes through Azure Automation.

先决条件Prerequisites

概念Concepts

事件网格是针对云的事件处理服务。Event Grid is an eventing service for the cloud. 通过按照本指南中的步骤操作,你将订阅 Key Vault 事件,并将事件路由到自动化。By following the steps in this guide, you'll subscribe to events for Key Vault and route events to Automation. 当 Key Vault 中的机密之一即将过期时,则会通知事件网格状态更改,并对终结点发出 HTTP POST。When one of the secrets in the key vault is about to expire, Event Grid is notified of the status change and makes an HTTP POST to the endpoint. 然后,Webhook 会触发 PowerShell 脚本的自动化执行。A web hook then triggers an Automation execution of a PowerShell script.

HTTP POST 流程图

创建自动化帐户Create an Automation account

通过 Azure 门户创建自动化帐户:Create an Automation account through the Azure portal:

  1. 转到 portal.azure.com 并登录到你的订阅。Go to portal.azure.com and log in to your subscription.

  2. 在搜索框中,键入“自动化帐户” 。In the search box, enter Automation Accounts.

  3. 在搜索栏中的下拉列表的“服务” 部分下,选择“自动化帐户” 。Under the Services section of the drop-down list on the search bar, select Automation Accounts.

  4. 选择 添加Select Add.

    自动化帐户窗格

  5. 在“添加自动化帐户” 窗格中填写所需信息,然后选择“创建” 。Enter the required information in the Add Automation Account pane and then select Create.

创建 runbookCreate a runbook

自动化帐户准备就绪后,创建 runbook。After your Automation account is ready, create a runbook.

创建 runbook UI

  1. 选择刚创建的自动化帐户。Select the Automation account you just created.

  2. 在“过程自动化”下,选择“Runbook”。 Select Runbooks under Process Automation.

  3. 选择“创建 Runbook” 。Select Create a runbook.

  4. 为 Runbook 命名,并选择“PowerShell” 作为 Runbook 类型。Name your runbook and select PowerShell as the runbook type.

  5. 单击创建的 Runbook,然后选择“编辑” 按钮。Select the runbook you created and then select the Edit button.

  6. 输入以下代码(用于测试目的),然后单击“发布” 按钮。Enter the following code (for testing purposes) and select the Publish button. 该操作将返回收到的 POST 请求的结果。This action returns the result of the POST request received.

param
(
[Parameter (Mandatory = $false)]
[object] $WebhookData
)

#If runbook was called from Webhook, WebhookData will not be null.
if ($WebhookData) {

#rotate secret:
#generate new secret version in key vault
#update db/service with generated secret

#Write-Output "WebhookData <$WebhookData>"
Write-Output $WebhookData.RequestBody
}
else
{
# Error
write-Error "No input data found." 
}

发布 runbook UI

创建 WebhookCreate a webhook

创建 Webhook 来触发新创建的 runbook。Create a webhook to trigger your newly created runbook.

  1. 从刚发布的 runbook 的“资源” 部分中选择“Webhook” 。Select Webhooks from the Resources section of the runbook you just published.

  2. 选择“添加 Webhook” 。Select Add Webhook.

    添加 Webhook 按钮

  3. 选择“创建新 Webhook” 。Select Create new Webhook.

  4. 为 Webhook 命名,设置过期日期,并复制 URL。Name the webhook, set an expiration date, and copy the URL.

    重要

    创建 URL 后,无法查看它。You can't view the URL after you create it. 至于本指南的剩余部分,请确保将副本保存在可访问的安全位置。Make sure you save a copy in a secure location where you can access it for the remainder of this guide.

  5. 选择“参数和运行设置” ,然后选择“确定” 。Select Parameters and run settings and then select OK. 不要输入任何参数。Don't enter any parameters. 这将启用“创建” 按钮。This will enable the Create button.

  6. 选择“确定”,然后选择“创建” 。Select OK and then select Create.

    创建新 Webhook UI

创建事件网格订阅Create an Event Grid subscription

通过 Azure 门户创建事件网格订阅。Create an Event Grid subscription through the Azure portal.

  1. 转到 Key Vault,然后选择“事件”选项卡。Go to your key vault and select the Events tab.

    Azure 门户中的事件选项卡

  2. 选择“事件订阅”按钮 。Select the Event Subscription button.

  3. 为订阅创建一个描述性名称。Create a descriptive name for the subscription.

  4. 选择“事件网格架构” 。Choose Event Grid Schema.

  5. “主题资源” 应是要监视其状态更改的 Key Vault。Topic Resource should be the key vault you want to monitor for status changes.

  6. 对于“筛选事件类型” ,保留所有选中项(“已选中 9 个” )。For Filter to Event Types, leave all options selected (9 selected).

  7. 对于“终结点类型” ,选择 WebhookFor Endpoint Type, select Webhook.

  8. 选择“选择终结点”。 Choose Select an endpoint. 在新的上下文窗格中,将 Webhook URL 从创建 Webhook 步骤粘贴到“订阅者终结点” 字段中。In the new context pane, paste the webhook URL from the Create a webhook step into the Subscriber Endpoint field.

  9. 在上下文窗格中选择“确认选择” 。Select Confirm Selection on the context pane.

  10. 选择“创建” 。Select Create.

    创建事件订阅

测试和验证Test and verify

验证是否已正确配置事件网格订阅。Verify that your Event Grid subscription is properly configured. 此测试假设你已订阅创建事件网格订阅中的“已创建机密新版本”通知,并且你具有在 Key Vault 中创建机密新版本所需的权限。This test assumes you have subscribed to the "Secret New Version Created" notification in the Create an Event Grid subscription, and that you have the necessary permissions to create a new version of a secret in a key vault.

事件网格订阅的测试配置

创建机密窗格

  1. 在 Azure 门户中转到 Key Vault。Go to your key vault on the Azure portal.

  2. 创建新机密。Create a new secret. 出于测试目的,将过期日期设置为“下一天”。For testing purposes, set the expiration to date to the next day.

  3. 在 Key Vault 中的“事件” 选项卡上,选择所创建的事件网格订阅。On the Events tab in your key vault, select the Event Grid subscription you created.

  4. 在“指标” 下,查看是否捕获了事件。Under Metrics, check whether an event was captured. 需要两个事件:SecretNewVersion 和 SecretNearExpiry。Two events are expected: SecretNewVersion and SecretNearExpiry. 这些事件会验证网格是否已成功捕获 Key Vault 中机密的状态更改。These events validate that Event Grid successfully captured the status change of the secret in your key vault.

    “指标”窗格:查看捕获的事件

  5. 返回到自动化帐户。Go to your Automation account.

  6. 选择“Runbook” 选项卡,然后选择已创建的 runbook。Select the Runbooks tab, and then select the runbook you created.

  7. 选择“Webhook” 选项卡,然后确认“上次触发时间”时间戳在创建新机密后的 60 秒内。Select the Webhooks tab, and confirm that the "last triggered" time stamp is within 60 seconds of when you created the new secret. 该结果可确认事件网格对 Webhook 发出了 POST(其中包含 Key Vault 中状态更改的事件详细信息),并触发了 Webhook。This result confirms that Event Grid made a POST to the webhook with the event details of the status change in your key vault and that the webhook was triggered.

    Webhook 选项卡,上次触发的时间戳

  8. 返回到 Runbook,然后选择“概述” 选项卡。Return to your runbook and select the Overview tab.

  9. 查看“最近的作业” 列表。Look at the Recent Jobs list. 应会看到已创建作业且状态为“已完成”。You should see that a job was created and that the status is complete. 这可确认 Webhook 触发了 Runbook 来开始执行其脚本。This confirms that the webhook triggered the runbook to start executing its script.

    Webhook 最近的作业列表

  10. 选择最近的作业并查看从事件网格发送到 Webhook 的 POST 请求。Select the recent job and look at the POST request that was sent from Event Grid to the webhook. 检查 JSON 并确保 Key Vault 和事件类型的参数正确。Examine the JSON and make sure that the parameters for your key vault and event type are correct. 如果 JSON 对象中的“事件类型”参数与 Key Vault 中发生的事件匹配(在本示例中为 Microsoft.KeyVault.SecretNearExpiry),则测试成功。If the "event type" parameter in the JSON object matches the event that occurred in the key vault (in this example, Microsoft.KeyVault.SecretNearExpiry), the test was successful.

疑难解答Troubleshooting

无法创建事件订阅You can't create an event subscription

在 Azure 订阅资源提供程序中重新注册事件网格和 Key Vault 提供程序。Reregister Event Grid and the key vault provider in your Azure subscription resource providers. 请参阅 Azure 资源提供程序和类型See Azure resource providers and types.

后续步骤Next steps

祝贺你!Congratulations! 如果正确执行了所有这些步骤,则现已准备好以编程方式响应 Key Vault 中存储的机密的状态更改。If you've correctly followed all these steps, you're now ready to programmatically respond to status changes of secrets stored in your key vault.

如果已使用基于轮询的系统来搜索 Key Vault 中机密的状态更改,则使用此通知功能开始。If you've been using a polling-based system to search for status changes of secrets in your key vaults, you can now start using this notification feature. 还可以将 runbook 中的测试脚本替换为代码,以编程方式在机密即将过期时进行续订。You can also replace the test script in your runbook with code to programmatically renew your secrets when they're about to expire.

了解详细信息:Learn more: