自动重新生成反映在 Azure Key Vault Secret 中的密钥
Auto re-generate of Keys reflected in Azure Key Vault Secret
我已经成功地在 'key1' 和 'key2' 之间创建了自动重新生成过程,间隔为 1 天。
当密钥自动重新生成时,我将 Key1 作为 Key Vault 中的连接字符串作为机密,我如何在 Key Vault 机密中反映该更改?
Key Vault 在数据工厂管道中使用。
$servicePrincipal = Get-AzADServicePrincipal -ServicePrincipalName cfa8b339-82a2-471a-a3c9-0fc0be7a4093
New-AzRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope $storage.Id
$userPrincipalId = $(Get-AzADUser -SearchString 'Bob Johnson').Id
Set-AzKeyVaultAccessPolicy -VaultName 'AzureBlobVault' -ObjectId $userPrincipalId -PermissionsToStorage get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, backup, restore, purge
$regenerationPeriod = [System.Timespan]::FromDays(1)
Add-AzKeyVaultManagedStorageAccount -VaultName 'AzureBlobVault' -StorageAccountName 'john' -AccountResourceId '/subscriptions/XXXXXXX-XXXX-XXXXXXXXXXXXXXXX/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/John' -ActiveKeyName 'key1' -RegenerationPeriod $regenerationPeriod'
The Result:
Id : https://azurekeyvaultblob.vault.azure.net:443/storage/john
Vault Name : AzureBlobVault
AccountName : john
Account Resource Id : /subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/john
Active Key Name : key1
Auto Regenerate Key : True
Regeneration Period : 1.00:00:00
Enabled : True
根据我的研究,目前,我们只能要求 Key Vault 生成共享访问签名令牌。如果你想这样做,你可以使用下面的脚本
$sctx = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey Key1
$start = [System.DateTime]::Now.AddDays(-1)
$end = [System.DateTime]::Now.AddDays(1)
$at = New-AzStorageAccountSasToken -Service blob,file,Table,Queue -ResourceType Service,Container,Object -Permission "racwdlup" -Protocol HttpsOnly -StartTime $start -ExpiryTime $end -Context $sctx
Set-AzKeyVaultManagedStorageSasDefinition -AccountName $storageAccount.StorageAccountName -VaultName $keyVaultName -Name accountsas -TemplateUri $at -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(1))
此外,如果你只想使用连接字符串,我认为你需要编写代码或脚本来管理它。例如,我使用 powershell 脚本:
$name = "your account"
$password = "your passowrd"
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($name, $secpasswd)
Connect-AzAccount -Credential $mycreds
$accountName ="your storage account name"
$keyvaultNmae="your key vault name"
$secretNmae="your secret name"
$accoutGroupName="your storage account group name"
$key=(Get-AzStorageAccountKey -ResourceGroupName $accoutGroupName -Name $accountName)[0].Value
$string= 'DefaultEndpointsProtocol=https;AccountName=' + $accountName + ';AccountKey=' + $Key + ';EndpointSuffix=core.windows.net'
$secretVaule= $Secret = ConvertTo-SecureString -String $string -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $keyvaultNmae -Name $secretNmae -SecretValue $secretVaule
$vaule= (Get-AzKeyVaultSecret -VaultName $keyvaultNmae -Name $secretNmae).SecretValueText
Write-Output $vaule
然后我将 Azure Automation runbook and create a schedule 上的 PowerShell 脚本托管到 运行 它
我已经成功地在 'key1' 和 'key2' 之间创建了自动重新生成过程,间隔为 1 天。
当密钥自动重新生成时,我将 Key1 作为 Key Vault 中的连接字符串作为机密,我如何在 Key Vault 机密中反映该更改? Key Vault 在数据工厂管道中使用。
$servicePrincipal = Get-AzADServicePrincipal -ServicePrincipalName cfa8b339-82a2-471a-a3c9-0fc0be7a4093
New-AzRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope $storage.Id
$userPrincipalId = $(Get-AzADUser -SearchString 'Bob Johnson').Id
Set-AzKeyVaultAccessPolicy -VaultName 'AzureBlobVault' -ObjectId $userPrincipalId -PermissionsToStorage get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, backup, restore, purge
$regenerationPeriod = [System.Timespan]::FromDays(1)
Add-AzKeyVaultManagedStorageAccount -VaultName 'AzureBlobVault' -StorageAccountName 'john' -AccountResourceId '/subscriptions/XXXXXXX-XXXX-XXXXXXXXXXXXXXXX/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/John' -ActiveKeyName 'key1' -RegenerationPeriod $regenerationPeriod'
The Result:
Id : https://azurekeyvaultblob.vault.azure.net:443/storage/john
Vault Name : AzureBlobVault
AccountName : john
Account Resource Id : /subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/john
Active Key Name : key1
Auto Regenerate Key : True
Regeneration Period : 1.00:00:00
Enabled : True
根据我的研究,目前,我们只能要求 Key Vault 生成共享访问签名令牌。如果你想这样做,你可以使用下面的脚本
$sctx = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey Key1
$start = [System.DateTime]::Now.AddDays(-1)
$end = [System.DateTime]::Now.AddDays(1)
$at = New-AzStorageAccountSasToken -Service blob,file,Table,Queue -ResourceType Service,Container,Object -Permission "racwdlup" -Protocol HttpsOnly -StartTime $start -ExpiryTime $end -Context $sctx
Set-AzKeyVaultManagedStorageSasDefinition -AccountName $storageAccount.StorageAccountName -VaultName $keyVaultName -Name accountsas -TemplateUri $at -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(1))
此外,如果你只想使用连接字符串,我认为你需要编写代码或脚本来管理它。例如,我使用 powershell 脚本:
$name = "your account"
$password = "your passowrd"
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($name, $secpasswd)
Connect-AzAccount -Credential $mycreds
$accountName ="your storage account name"
$keyvaultNmae="your key vault name"
$secretNmae="your secret name"
$accoutGroupName="your storage account group name"
$key=(Get-AzStorageAccountKey -ResourceGroupName $accoutGroupName -Name $accountName)[0].Value
$string= 'DefaultEndpointsProtocol=https;AccountName=' + $accountName + ';AccountKey=' + $Key + ';EndpointSuffix=core.windows.net'
$secretVaule= $Secret = ConvertTo-SecureString -String $string -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $keyvaultNmae -Name $secretNmae -SecretValue $secretVaule
$vaule= (Get-AzKeyVaultSecret -VaultName $keyvaultNmae -Name $secretNmae).SecretValueText
Write-Output $vaule
然后我将 Azure Automation runbook and create a schedule 上的 PowerShell 脚本托管到 运行 它