一. 关于Azure Key Vault
Azure 密钥保管库可帮助保护云应用程序和服务使用的加密密钥和机密。 借助 Key Vault,可使用密钥来加密密钥和机密(例如身份验证密钥、存储帐户密钥、数据加密密钥、.PFX 文件和密码)。密钥保管库简化了密钥管理过程,可让你控制用于访问和加密数据的密钥。 开发人员可以在几分钟内创建用于开发和测试的密钥,并无缝地将其迁移到生产密钥。 安全管理员可以根据需要授予(和吊销)密钥权限。
二. 如下自动化脚本实现的功能
- 向已经有的key vault中添加secrets键值对
- 设置key vault的policy
# set Azure Enviroment into China Mooncake.
$EnvironmentName ="AzureChinaCloud"
# Give your subcriptionID here.
$SubscriptionId="*********"
# your keyvault name
$keyvaultName="yourkeyvaultname"
# set secret type (option)
$ContentType="config"
##login
Login-AzureRmAccount -EnvironmentName 'AzureChinaCloud'
Set-AzureRmContext -SubscriptionId $SubscriptionId
## set keyvault policy
Set-AzureRmKeyVaultAccessPolicy -VaultName $keyvaultName -EnabledForDeployment -EnabledForTemplateDeployment -EnabledForDiskEncryption
## initial keyvault secrets pairs
$keyvaultSecrets =@{key1 = 'value1';key2 = 'value2'}
<#
foreach($key in $keyvaultSecrets.keys)
{
Remove-AzureKeyVaultSecret -VaultName $keyvaultName -Name $key -Force -Confirm:$False
Write-Output "remvoe $key successfully"
}
#>
#>
## add secrets
foreach($key in $keyvaultSecrets.keys)
{
$Secret = ConvertTo-SecureString -String $keyvaultSecrets[$key] -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName $keyvaultName -Name $key -SecretValue $Secret -ContentType $ContentType
}
## list secrets
foreach($key in $keyvaultSecrets.keys)
{
(get-azurekeyvaultsecret -VaultName $keyvaultName -name $key).SecretValueText
}
line 11-12需要注意你使用的azure的环境,此处以azure china为例
keyvualt的策略设置可以参考此处
- EnabledForDeployment :Enables the Microsoft.Compute resource provider to retrieve secrets from this key vault when this key vault is referenced in resource creation, for example when creating a virtual machine
- EnabledForDiskEncryption:Enables the Azure disk encryption service to get secrets and unwrap keys from this key vault.
- EnabledForTemplateDeployment:Enables Azure Resource Manager to get secrets from this key vault when this key vault is referenced in a template deployment.