自动重新生成反映在Azure Key Vault Secret中的密钥

时间:2019-08-20 20:44:10

标签: azure powershell azure-sql-database azure-storage-blobs azure-keyvault

我设法在'key1'和'key2'之间创建了自动重新生成过程,间隔为1天。

当密钥自动重新生成时,我将Key1作为密钥库中的连接字符串设置为密钥,我如何反映密钥库密钥中的更改? 密钥保管库在数据工厂管道中使用。 

$servicePrincipal = Get-AzADServicePrincipal -ServicePrincipalName cfa8b339-82a2-471a-a3c9-0fc0be7a4093
New-AzRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope $storage.Id
$userPrincipalId = $(Get-AzADUser -SearchString 'Bob Johnson').Id
Set-AzKeyVaultAccessPolicy -VaultName 'AzureBlobVault' -ObjectId $userPrincipalId -PermissionsToStorage get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, backup, restore, purge
$regenerationPeriod = [System.Timespan]::FromDays(1)
Add-AzKeyVaultManagedStorageAccount -VaultName 'AzureBlobVault' -StorageAccountName 'john' -AccountResourceId '/subscriptions/XXXXXXX-XXXX-XXXXXXXXXXXXXXXX/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/John' -ActiveKeyName 'key1' -RegenerationPeriod $regenerationPeriod'


The Result:

Id                  : https://azurekeyvaultblob.vault.azure.net:443/storage/john
Vault Name          : AzureBlobVault
AccountName         : john
Account Resource Id : /subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/john
Active Key Name     : key1
Auto Regenerate Key : True
Regeneration Period : 1.00:00:00
Enabled             : True

1 个答案:

答案 0 :(得分:0)

根据我的研究,目前,我们只能要求Key Vault生成共享访问签名令牌。如果要这样做,可以使用以下脚本

$sctx = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey Key1
$start = [System.DateTime]::Now.AddDays(-1)
$end = [System.DateTime]::Now.AddDays(1)
$at = New-AzStorageAccountSasToken -Service blob,file,Table,Queue -ResourceType Service,Container,Object -Permission "racwdlup" -Protocol HttpsOnly -StartTime $start -ExpiryTime $end -Context $sctx
Set-AzKeyVaultManagedStorageSasDefinition -AccountName $storageAccount.StorageAccountName  -VaultName $keyVaultName -Name accountsas -TemplateUri $at -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(1))

有关更多详细信息,请参阅documentarticle

此外,如果您只想使用连接字符串,我认为您需要编写代码或脚本来对其进行管理。例如,我使用powershell脚本:

$name = "your account"
$password = "your passowrd"
$secpasswd = ConvertTo-SecureString $password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($name, $secpasswd)
Connect-AzAccount -Credential $mycreds

$accountName ="your storage account name"
$keyvaultNmae="your key vault name"
$secretNmae="your secret name"
$accoutGroupName="your storage account group name"

$key=(Get-AzStorageAccountKey -ResourceGroupName $accoutGroupName -Name $accountName)[0].Value 
$string= 'DefaultEndpointsProtocol=https;AccountName=' + $accountName + ';AccountKey=' + $Key + ';EndpointSuffix=core.windows.net' 

$secretVaule= $Secret = ConvertTo-SecureString -String $string -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $keyvaultNmae -Name $secretNmae -SecretValue  $secretVaule

$vaule= (Get-AzKeyVaultSecret -VaultName $keyvaultNmae -Name $secretNmae).SecretValueText

Write-Output $vaule

然后,我在Azure Automation runbook上托管PowerShell脚本并创建一个schedule来运行

相关问题
最新问题