使用Azure Function和Key Vault管理Azure存储帐户密钥的轮换 [英] Managing the rotation of Azure storage account keys with Azure Function and Key Vault

问题描述

已经问过一个关于从Azure Function Config中删除机密的问题建议为Azure存储帐户以及这些密钥在Azure KeyVault中的保密性

Having asked a question about Removing Secrets from Azure Function Config this Microsoft approach was recommended for managing the rotation of keys for Azure Storage Accounts and the keeping of those keys secret in Azure KeyVault

请注意，我们正在访问Azure存储帐户中的表，并且与Blob和队列不同的表不支持托管身份访问控件.

Note we are accessing Tables in an Azure Storage Account and Tables unlike Blobs and Queues do not support Managed Identity access controls.

该建议附带了一些Azure Deplyment模板，这些模板不会为我运行，因此我决定自己创建资源以检查我对该方法的理解.尝试遵循建议后，我有一些疑问

The recommendation comes with some Azure Deplyment templates that would not run for me so I decided to create the resources myself to check my understanding of the approach. After trying to follow the recommendation I have some questions

现有情况:

1. 一个名为"OurAzureFunction"的现有函数；当前已在功能"配置中直接使用密钥配置了存储帐户连接字符串.
2. 一个名为"ourstorageaccount"的现有存储帐户包含包含"OurAzureFunction"的应用程序数据的应用程序.在
上运行

我对建议的理解是它引入了

1. "keyRotationAzureFunction"，一个具有两个Httptriggers的Azure函数，一个对事件网格事件做出响应以响应即将过期的秘密，另一个可以按需重新生成密钥.
2. "keyRotationKeyVault"，由keyRotationAzureFunction对其进行操作的密钥保管库.
3. 事件网格订阅，可从"keyRotationKeyVault"
监听 SecretNearExpiry 事件

我对理解这种方法有疑问.我看不出有更好的方法，只能整理这个Stack Overflow问题中的问题，而不是三个单独的问题.

I have issues with understanding this approach. I can't see a better way but to collate the issues in this Stack Overflow question rather than with three individual questions.

1. keyRotationAzureFunction是否具有存储帐户密钥操作员服务角色"；在"ourstorageaccount"上以便它可以重新生成其密钥?
2. 什么配置可以执行"OurAzureFunction"?可以让它与我们的存储帐户建立连接吗?是"keyRotationKeyVault"中的标记秘密吗?
3. 是"keyRotationKeyVault"中秘密的值吗?不只是使用与秘密有关的标签?​​

推荐答案

1. 是的，该功能必须作为可以旋转该角色提供的键的主体运行.密钥旋转可以保留为单独的角色，这样您就可以提供对机密的细密访问，从而避免泄漏.

1. Yes, the function has to run as a principal that can rotate the keys, which that role provides. Key rotation can be kept as a separate role so that you can provide granular access to secrets to avoid leaks.

函数(而是主体)只需要"get"即可.访问用于生成SAS令牌的机密(这是一种特殊的机密，其中返回的值将更改以生成新的SAS令牌)，从而授予对存储的访问权限.必须将密钥保管库配置为管理存储帐户的令牌.在 https:/上查看我刚刚发布的示例./docs.microsoft.com/samples/azure/azure-sdk-for-net/share-link/，我希望可以简化问题.

The function (rather, the principal) just needs "get" access to a secret used for generating SAS tokens (it's a special kind of secret where the value returned will change to generate new SAS tokens) that grants access to storage. The Key Vault must be configured to manage tokens for the Storage account. See a sample I just published recently at https://docs.microsoft.com/samples/azure/azure-sdk-for-net/share-link/ which I hope simplifies the problem.

密钥的值实际上是为存储帐户生成的SAS令牌.如果您在Key Vault中还有其他机密，或者甚至以这种方式管理多个功能应用程序(可以为即将到期的存储帐户密钥识别正确的机密)，这些标签用于确定要用于存储帐户的机密.

The value of the secret is actually the generated SAS token for the storage account. The tags are used to figure out which secret to use for the storage account in case you have other secrets in your Key Vault, or even manage multiple function apps this way (you can identify the correct secret for the storage account key near expiry).

这篇关于使用Azure Function和Key Vault管理Azure存储帐户密钥的轮换的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！