具有密钥保管库的Azure存储帐户以管理其密钥 [英] Azure Storage Account with Key Vault to manage its keys

问题描述

我希望我的Blob存储帐户密钥由Key Vault管理.我正在尝试在"key1"和"key2"之间进行自动再生，间隔为1天.

我已按照Microsoft网站

解决方案

我不确定是否使用Blob存储密钥正确设置了密钥库.

我认为您已成功设置它，可以使用以下命令对其进行检查.

  Get-AzKeyVaultManagedStorageAccount -VaultName<密钥库名称>-name<存储帐户名称> 

但是它似乎不起作用，因为Key Vault尚未自动重新生成Key Vault中的任何密钥.

该设置不会自动重新生成密钥库中的密钥标签，它只会自动重新生成存储访问密钥，您需要在存储帐户中检查结果-> 访问密钥.

更新:

我用 $ regenerationPeriod = [System.Timespan] :: FromDays(1)对其进行测试.

存储帐户的活动日志:

也注意:

设置 -ActiveKeyName'key1'时，它不会自动重新生成 key1 .

当活动键集为"key1"时.该密钥将用于生成sas令牌.从此命令开始，Key Vault将在重新生成周期后重新生成'key2'密钥，并将其设置为活动密钥.此自动再生过程将在"key1"和"key2"之间继续，间隔为RegenerationPeriod天.

I wanted my blob storage account keys to be managed by Key Vault. I am trying to auto regeneration process between 'key1' and 'key2' with a gap of 1 day.

I have followed instructions on Microsoft website https://docs.microsoft.com/en-us/powershell/module/az.keyvault/add-azkeyvaultmanagedstorageaccount?view=azps-2.5.0

I have run the script below and there was no errors:

$servicePrincipal = Get-AzADServicePrincipal -ServicePrincipalName cfa8b339-82a2-471a-a3c9-0fc0be7a4093
New-AzRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope $storage.Id
$userPrincipalId = $(Get-AzADUser -SearchString 'Bob Johnson').Id
Set-AzKeyVaultAccessPolicy -VaultName 'AzureBlobVault' -ObjectId $userPrincipalId -PermissionsToStorage get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, backup, restore, purge
$regenerationPeriod = [System.Timespan]::FromDays(1)
Add-AzKeyVaultManagedStorageAccount -VaultName 'AzureBlobVault' -StorageAccountName 'john' -AccountResourceId '/subscriptions/XXXXXXX-XXXX-XXXXXXXXXXXXXXXX/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/John' -ActiveKeyName 'key1' -RegenerationPeriod $regenerationPeriod'


The Result:

Id                  : https://azurekeyvaultblob.vault.azure.net:443/storage/john
Vault Name          : AzureBlobVault
AccountName         : john
Account Resource Id : /subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/john
Active Key Name     : key1
Auto Regenerate Key : True
Regeneration Period : 1.00:00:00
Enabled             : True

I don't have any errors when I run the script. But it doesn't seem to work because the Key Vault hasn't auto regenerate any of the keys within the Key Vault. I have been testing this for the past week.

I am not sure if I set up the Key Vault with the Blob Storage keys correctly.

解决方案

I am not sure if I set up the Key Vault with the Blob Storage keys correctly.

I think you set it successfully, you can check it with the command as below.

Get-AzKeyVaultManagedStorageAccount -VaultName <keyvault name> -name <storage account name>

But it doesn't seem to work because the Key Vault hasn't auto regenerate any of the keys within the Key Vault.

The setting will not auto-regenerate the tags of key in the keyvault, it just auto-regenerates the storage access key, you need to check the result in your storage account -> Access keys.

Update:

I test it with $regenerationPeriod = [System.Timespan]::FromDays(1), it works.

Activity log of the storage account:

Also Note:

When setting the -ActiveKeyName 'key1', it does not auto-regenerate the key1.

When the active key set is 'key1'. This key will be used to generate sas tokens. Key Vault will regenerate 'key2' key after the regeneration period from the time of this command and set it as the active key. This auto regeneration process will continue between 'key1' and 'key2' with a gap of RegenerationPeriod days.

这篇关于具有密钥保管库的Azure存储帐户以管理其密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！