快速入門：使用ARM樣本從 Azure 金鑰保存庫設定和擷取秘密

發行項
03/19/2024

Azure Key Vault 是雲端服務，可安全儲存祕密，例如金鑰、密碼、憑證和其他祕密。本快速入門著重於部署 Azure Resource Manager 範本（ARM 範本）以建立金鑰保存庫和秘密的程式。

Azure Resource Manager 範本是 JavaScript 物件表示法（JSON）檔案，可定義專案的基礎結構和組態。範本使用宣告式語法。您不需要撰寫程式設計命令順序來建立部署，即可描述預定的部署。

如果您的環境符合必要條件，而且您很熟悉 ARM 範本，請選取 [部署至 Azure] 按鈕。範本會在 Azure 入口網站中開啟。

必要條件

若要完成本文：

如尚未擁有 Azure 訂用帳戶，請在開始之前先建立免費帳戶。
範本需要您的 Microsoft Entra 使用者物件識別碼來設定權限。下列程序會取得物件識別碼 (GUID)。
1. 透過選取 [試試看] 來執行下列 Azure PowerShell 或 Azure CLI 命令，然後將指令碼貼到 Shell 窗格中。若要貼上指令碼，請以滑鼠右鍵按一下 Shell，然後選取 [貼上]。
  - CLI
  - PowerShell
```
echo "Enter your email address that is used to sign in to Azure:" &&
read upn &&
az ad user show --id $upn --query "Id" &&
echo "Press [ENTER] to continue ..."
```
```
$upn = Read-Host -Prompt "Enter your email address used to sign in to Azure"
(Get-AzADUser -UserPrincipalName $upn).Id
Write-Host "Press [ENTER] to continue..."
```
2. 請記下物件識別碼。您會在本快速入門中的下一節用到它。

檢閱範本

本快速入門中使用的範本是來自 Azure 快速入門範本。

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.26.54.24096",
      "templateHash": "8629186205194254058"
    }
  },
  "parameters": {
    "keyVaultName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the key vault."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Specifies the Azure location where the key vault should be created."
      }
    },
    "enabledForDeployment": {
      "type": "bool",
      "defaultValue": false,
      "metadata": {
        "description": "Specifies whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault."
      }
    },
    "enabledForDiskEncryption": {
      "type": "bool",
      "defaultValue": false,
      "metadata": {
        "description": "Specifies whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys."
      }
    },
    "enabledForTemplateDeployment": {
      "type": "bool",
      "defaultValue": false,
      "metadata": {
        "description": "Specifies whether Azure Resource Manager is permitted to retrieve secrets from the key vault."
      }
    },
    "tenantId": {
      "type": "string",
      "defaultValue": "[subscription().tenantId]",
      "metadata": {
        "description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. Get it by using Get-AzSubscription cmdlet."
      }
    },
    "objectId": {
      "type": "string",
      "metadata": {
        "description": "Specifies the object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies. Get it by using Get-AzADUser or Get-AzADServicePrincipal cmdlets."
      }
    },
    "keysPermissions": {
      "type": "array",
      "defaultValue": [
        "list"
      ],
      "metadata": {
        "description": "Specifies the permissions to keys in the vault. Valid values are: all, encrypt, decrypt, wrapKey, unwrapKey, sign, verify, get, list, create, update, import, delete, backup, restore, recover, and purge."
      }
    },
    "secretsPermissions": {
      "type": "array",
      "defaultValue": [
        "list"
      ],
      "metadata": {
        "description": "Specifies the permissions to secrets in the vault. Valid values are: all, get, list, set, delete, backup, restore, recover, and purge."
      }
    },
    "skuName": {
      "type": "string",
      "defaultValue": "standard",
      "allowedValues": [
        "standard",
        "premium"
      ],
      "metadata": {
        "description": "Specifies whether the key vault is a standard vault or a premium vault."
      }
    },
    "secretName": {
      "type": "string",
      "metadata": {
        "description": "Specifies the name of the secret that you want to create."
      }
    },
    "secretValue": {
      "type": "securestring",
      "metadata": {
        "description": "Specifies the value of the secret that you want to create."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.KeyVault/vaults",
      "apiVersion": "2023-07-01",
      "name": "[parameters('keyVaultName')]",
      "location": "[parameters('location')]",
      "properties": {
        "enabledForDeployment": "[parameters('enabledForDeployment')]",
        "enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]",
        "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]",
        "tenantId": "[parameters('tenantId')]",
        "enableSoftDelete": true,
        "softDeleteRetentionInDays": 90,
        "accessPolicies": [
          {
            "objectId": "[parameters('objectId')]",
            "tenantId": "[parameters('tenantId')]",
            "permissions": {
              "keys": "[parameters('keysPermissions')]",
              "secrets": "[parameters('secretsPermissions')]"
            }
          }
        ],
        "sku": {
          "name": "[parameters('skuName')]",
          "family": "A"
        },
        "networkAcls": {
          "defaultAction": "Allow",
          "bypass": "AzureServices"
        }
      }
    },
    {
      "type": "Microsoft.KeyVault/vaults/secrets",
      "apiVersion": "2023-07-01",
      "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('secretName'))]",
      "properties": {
        "value": "[parameters('secretValue')]"
      },
      "dependsOn": [
        "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
      ]
    }
  ],
  "outputs": {
    "location": {
      "type": "string",
      "value": "[parameters('location')]"
    },
    "name": {
      "type": "string",
      "value": "[parameters('keyVaultName')]"
    },
    "resourceGroupName": {
      "type": "string",
      "value": "[resourceGroup().name]"
    },
    "resourceId": {
      "type": "string",
      "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
    }
  }
}

範本中定義了兩個 Azure 資源：

Microsoft.KeyVault/vaults：建立 Azure 金鑰保存庫。
Microsoft.KeyVault/vaults/secrets：建立金鑰保存庫祕密。

您可以在 Azure 快速入門範本中找到更多 Azure 金鑰保存庫樣本範例。

部署範本

選取以下影像來登入 Azure 並開啟範本。此範本會建立金鑰保存庫和祕密。
選取或輸入下列值。

除非指定，否則請使用預設值來建立密鑰保存庫和秘密。
- 訂用帳戶：選取 Azure 訂用帳戶。
- 資源群組：選取 [ 新建]，輸入資源群組的唯一名稱，然後按兩下 [ 確定]。
- 位置：選取位置。例如，美國中部。
- 金鑰保存庫名稱：輸入金鑰保存庫的名稱，此保存庫在 .vault.azure.net 命名空間內必須是全域唯一的。當您驗證部署時，在下一節中需要名稱。
- 租用戶標識碼：範本函式會自動擷取您的租用戶標識碼。請勿變更預設值。
- 廣告用戶標識碼：輸入您從必要條件擷取的 Microsoft Entra 使用者物件識別碼。
- 秘密名稱：輸入您儲存在金鑰保存庫中之秘密的名稱。例如， adminpassword。
- 秘密值：輸入秘密值。如果您儲存密碼，建議您使用您在必要條件中建立的已產生密碼。
- 我同意上述條款及條件：選取。
選取 [購買] 。成功部署金鑰保存庫之後，您會收到通知：

Azure 入口網站用於部署範本。除了 Azure 入口網站之外，您也可以使用 Azure PowerShell、Azure CLI 和 REST API。若要了解其他部署方法，請參閱＜部署範本＞。

檢閱已部署的資源

您可以使用 Azure 入口網站來檢查金鑰保存庫和秘密，或使用下列 Azure CLI 或 Azure PowerShell 指令碼列出所建立的祕密。

CLI
PowerShell

echo "Enter your key vault name:" &&
read keyVaultName &&
az keyvault secret list --vault-name $keyVaultName &&
echo "Press [ENTER] to continue ..."

$keyVaultName = Read-Host -Prompt "Enter your key vault name"
Get-AzKeyVaultSecret -vaultName $keyVaultName
Write-Host "Press [ENTER] to continue..."

輸出大致如下：

CLI
PowerShell

Screenshot that shows the deploy portal validation output in CLI.

清除資源

本快速入門建置其他金鑰保存庫快速入門和教學課程。如果您打算繼續進行後續的快速入門和教學課程，您可以讓這些資源留在原處。若不再需要，請刪除資源群組，以刪除金鑰保存庫和相關資源。若要使用 Azure CLI 或 Azure PowerShell 刪除資源群組：

CLI
PowerShell

echo "Enter the Resource Group name:" &&
read resourceGroupName &&
az group delete --name $resourceGroupName &&
echo "Press [ENTER] to continue ..."

$resourceGroupName = Read-Host -Prompt "Enter the Resource Group name"
Remove-AzResourceGroup -Name $resourceGroupName
Write-Host "Press [ENTER] to continue..."

下一步

在本快速入門中，您已使用ARM樣本建立金鑰保存庫和秘密，並驗證部署。若要深入瞭解金鑰保存庫和 Azure Resource Manager，請繼續閱讀下列文章。

快速入門：使用ARM樣本從 Azure 金鑰保存庫 設定和擷取秘密