• Azure KeyVault设置策略和自动化添加secrets键值对


    一. 关于Azure Key Vault

    Azure 密钥保管库可帮助保护云应用程序和服务使用的加密密钥和机密。 借助 Key Vault,可使用密钥来加密密钥和机密(例如身份验证密钥、存储帐户密钥、数据加密密钥、.PFX 文件和密码)。密钥保管库简化了密钥管理过程,可让你控制用于访问和加密数据的密钥。 开发人员可以在几分钟内创建用于开发和测试的密钥,并无缝地将其迁移到生产密钥。 安全管理员可以根据需要授予(和吊销)密钥权限。

    二.  如下自动化脚本实现的功能

    1. 向已经有的key vault中添加secrets键值对
    2. 设置key vault的policy

    # set Azure Enviroment into China Mooncake.
    $EnvironmentName ="AzureChinaCloud"
    # Give your subcriptionID here.
    $SubscriptionId="*********"
    # your keyvault name
    $keyvaultName="yourkeyvaultname"
    # set secret type (option)
    $ContentType="config"
     
    ##login
    Login-AzureRmAccount -EnvironmentName 'AzureChinaCloud'
    Set-AzureRmContext -SubscriptionId $SubscriptionId
     
    ## set keyvault policy
    Set-AzureRmKeyVaultAccessPolicy -VaultName $keyvaultName -EnabledForDeployment -EnabledForTemplateDeployment -EnabledForDiskEncryption
    ## initial keyvault secrets pairs
    $keyvaultSecrets =@{key1 = 'value1';key2 = 'value2'}
    <#
    foreach($key in $keyvaultSecrets.keys)
    {
    Remove-AzureKeyVaultSecret -VaultName $keyvaultName -Name $key -Force -Confirm:$False
    Write-Output "remvoe $key successfully"
    }
    #>
    #>
    ## add secrets
    foreach($key in $keyvaultSecrets.keys)
    {
    $Secret = ConvertTo-SecureString -String $keyvaultSecrets[$key] -AsPlainText -Force
    Set-AzureKeyVaultSecret -VaultName $keyvaultName -Name $key -SecretValue $Secret -ContentType $ContentType
    }
     
    ## list secrets
    foreach($key in $keyvaultSecrets.keys)
    {
    (get-azurekeyvaultsecret -VaultName $keyvaultName -name $key).SecretValueText
    }
    

    line 11-12需要注意你使用的azure的环境,此处以azure china为例


    keyvualt的策略设置可以参考此处

    • EnabledForDeployment :Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine
    • EnabledForDiskEncryption:Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault.
    • EnabledForTemplateDeployment:Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.
  • 相关阅读:
    Unix进程和线程管理及其异同
    UnixIPC之共享内存
    Unix/Linux常用文件操作
    java中int和Integer比较
    JAVA四种引用类型
    JAVA-Exception&Error
    JAVA特性-跨平台/面向对象
    JAVA单向链表实现
    linux安装及配置c++的opencv库
    static_cast、const_cast、dynamic_cast、reinterpret_cast
  • 原文地址:https://www.cnblogs.com/yangwenbo214/p/9836195.html
Copyright © 2020-2023  润新知