Question

我们正在尝试创建一个ARM模板，它允许我们指定自己的加密密钥。我有下面的脚本，这会加密存储帐户，但这不允许我们添加自己的密钥。

有没有办法以编程方式添加它，我知道可以使用门户网站完成。

我的脚本是

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageNamePrefix": {
      "type": "string",
      "metadata": {
        "description": "The prefix string to add to a generated name."
      }
    },
    "storageAccountType": {
      "type": "string",
      "defaultValue": "Standard_LRS",
      "allowedValues": [
        "Standard_LRS",
        "Standard_GRS",
        "Standard_RAGRS",
        "Standard_ZRS",
        "Premium_LRS"
      ],
      "metadata": {
        "description": "Storage Account type."
      }
    },
    "blobEncryptionEnabled": {
      "type": "bool",
      "defaultValue": true,
      "allowedValues": [
        true,
        false
      ],
      "metadata": {
        "description": "Enable or disable Blob encryption."
      }
    }
  },
  "variables": {
    "storageAccountName": "[tolower( concat( parameters('storageNamePrefix'), uniqueString(subscription().id, resourceGroup().id) ))]",
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "name": "[variables('storageAccountName')]",
      "apiVersion": "2016-01-01",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "[parameters('storageAccountType')]"
      },
      "kind": "Storage",
      "properties": {
        "encryption": {
          "keySource": "Microsoft.Storage",
          "services": {
            "blob": {
              "enabled": "[parameters('blobEncryptionEnabled')]"
            }
          }
        }
      }
    }
  ],
  "outputs": {
    "storageAccountName": {
      "type": "string",
      "value": "[variables('storageAccountName')]"
    }
  }
}

我在Azure快速入门模板上看到了这个，它似乎有我需要的标题，但我看不到在哪里或如何添加我想要使用的密钥..

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "storageAccountType": {
      "type": "string",
      "defaultValue": "Standard_LRS",
      "allowedValues": [
        "Standard_LRS",
        "Standard_GRS",
        "Standard_RAGRS",
        "Standard_ZRS",
        "Premium_LRS"
      ],
      "metadata": {
        "description": "Storage Account type."
      }
    },
    "blobEncryptionEnabled": {
      "type": "bool",
      "defaultValue": true,
      "metadata": {
        "description": "Enable or disable Blob encryption at Rest."
      }
    }
  },
  "variables": {
    "storageAccountName": "[tolower( concat('sawithsse', substring(parameters('storageAccountType'), 0, 2), uniqueString(subscription().id, resourceGroup().id) ))]"
  },
  "resources": [
    {
      "type": "Microsoft.Storage/storageAccounts",
      "name": "[variables('storageAccountName')]",
      "apiVersion": "2016-12-01",
      "location": "[resourceGroup().location]",
      "sku": {
        "name": "[parameters('storageAccountType')]"
      },
      "kind": "Storage",
      "properties": {
        "encryption": {
          "keySource": "Microsoft.Storage",
          "services": {
            "blob": {
              "enabled": "[parameters('blobEncryptionEnabled')]"
            }
          }
        }
      }
    }
  ],
  "outputs": {
    "storageAccountName": {
      "type": "string",
      "value": "[variables('storageAccountName')]"
    }
  }
}

以下链接概述了启用客户密钥加密的门户方式：

https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption-customer-managed-keys

此链接提到使用Powershell的功能，但我找不到任何参考。

希望这是有道理的。

提前致谢.. :)）

Answer 1

这样的事情：

"properties": {
    "encryption": {
        "keySource": "Microsoft.Keyvault",
        "keyvaultproperties": {
            "keyname": xxx,
            "keyvaulturi": xxx,
            "keyversion": xxx
        }
    }
}

来源：https://docs.microsoft.com/en-us/rest/api/storagerp/storageaccounts/create#keyvaultproperties

另一种方式，使用powershell，添加-debug并捕获其余调用，将其移植到模板。

使用客户托管密钥创建存储服务加密ARM模板

1 个答案: