问题
I wanted my blob storage account keys to be managed by Key Vault. I am trying to auto regeneration process between 'key1' and 'key2' with a gap of 1 day.
I have followed instructions on Microsoft website https://docs.microsoft.com/en-us/powershell/module/az.keyvault/add-azkeyvaultmanagedstorageaccount?view=azps-2.5.0
I have run the script below and there was no errors:
$servicePrincipal = Get-AzADServicePrincipal -ServicePrincipalName cfa8b339-82a2-471a-a3c9-0fc0be7a4093
New-AzRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope $storage.Id
$userPrincipalId = $(Get-AzADUser -SearchString 'Bob Johnson').Id
Set-AzKeyVaultAccessPolicy -VaultName 'AzureBlobVault' -ObjectId $userPrincipalId -PermissionsToStorage get, list, delete, set, update, regeneratekey, getsas, listsas, deletesas, setsas, recover, backup, restore, purge
$regenerationPeriod = [System.Timespan]::FromDays(1)
Add-AzKeyVaultManagedStorageAccount -VaultName 'AzureBlobVault' -StorageAccountName 'john' -AccountResourceId '/subscriptions/XXXXXXX-XXXX-XXXXXXXXXXXXXXXX/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/John' -ActiveKeyName 'key1' -RegenerationPeriod $regenerationPeriod'
The Result:
Id : https://azurekeyvaultblob.vault.azure.net:443/storage/john
Vault Name : AzureBlobVault
AccountName : john
Account Resource Id : /subscriptions/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX/resourceGroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/john
Active Key Name : key1
Auto Regenerate Key : True
Regeneration Period : 1.00:00:00
Enabled : True
I don't have any errors when I run the script. But it doesn't seem to work because the Key Vault hasn't auto regenerate any of the keys within the Key Vault. I have been testing this for the past week.
I am not sure if I set up the Key Vault with the Blob Storage keys correctly.
回答1:
I am not sure if I set up the Key Vault with the Blob Storage keys correctly.
I think you set it successfully, you can check it with the command as below.
Get-AzKeyVaultManagedStorageAccount -VaultName <keyvault name> -name <storage account name>
But it doesn't seem to work because the Key Vault hasn't auto regenerate any of the keys within the Key Vault.
The setting will not auto-regenerate the tags of key in the keyvault, it just auto-regenerates the storage access key, you need to check the result in your storage account -> Access keys.
Update:
I test it with $regenerationPeriod = [System.Timespan]::FromDays(1), it works.
Activity log of the storage account:
Also Note:
When setting the -ActiveKeyName 'key1', it does not auto-regenerate the key1.
When the active key set is 'key1'. This key will be used to generate sas tokens. Key Vault will regenerate 'key2' key after the regeneration period from the time of this command and set it as the active key. This auto regeneration process will continue between 'key1' and 'key2' with a gap of RegenerationPeriod days.
来源:https://stackoverflow.com/questions/57547394/azure-storage-account-with-key-vault-to-manage-its-keys