Bewerken

Delen via


Add-AzKeyVaultManagedStorageAccount

Adds an existing Azure Storage Account to the specified key vault for its keys to be managed by the Key Vault service.

Syntax

Add-AzKeyVaultManagedStorageAccount
   [-VaultName] <String>
   [-AccountName] <String>
   [-AccountResourceId] <String>
   [-ActiveKeyName] <String>
   [-DisableAutoRegenerateKey]
   [-RegenerationPeriod <TimeSpan>]
   [-Disable]
   [-Tag <Hashtable>]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

Sets up an existing Azure Storage Account with Key Vault for Storage Account keys to be managed by Key Vault. The Storage Account must already exist. The Storage Keys are never exposed to caller. Key Vault auto regenerates and switches the active key based on the regeneration period. See Azure Key Vault managed storage account - PowerShell for an overview of this feature.

Examples

Example 1: Set an Azure Storage Account with Key Vault to manage its keys

$storage = Get-AzStorageAccount -ResourceGroupName "mystorageResourceGroup" -StorageAccountName "mystorage"
$servicePrincipal = Get-AzADServicePrincipal -ServicePrincipalName cfa8b339-82a2-471a-a3c9-0fc0be7a4093
New-AzRoleAssignment -ObjectId $servicePrincipal.Id -RoleDefinitionName 'Storage Account Key Operator Service Role' -Scope $storage.Id
$userPrincipalId = $(Get-AzADUser -SearchString "developer@contoso.com").Id
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $userPrincipalId -PermissionsToStorage get, set
$regenerationPeriod = [System.Timespan]::FromDays(90)
Add-AzKeyVaultManagedStorageAccount -VaultName 'myvault' -AccountName 'mystorageaccount' -AccountResourceId '/subscriptions/<subscription id>/resourceGroups/myresourcegroup/providers/Microsoft.Storage/storageAccounts/mystorageaccount' -ActiveKeyName 'key1' -RegenerationPeriod $regenerationPeriod

Id                  : https://myvault.vault.azure.net:443/storage/mystorageaccount
Vault Name          : myvault
AccountName         : mystorageaccount
Account Resource Id : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myrg/providers/Microsoft.St
                      orage/storageAccounts/mystorageaccount
Active Key Name     : key1
Auto Regenerate Key : True
Regeneration Period : 90.00:00:00
Enabled             : True
Created             : 5/21/2018 11:55:58 PM
Updated             : 5/21/2018 11:55:58 PM
Tags                :

Sets a Storage Account with Key Vault for its keys to be managed by Key Vault. The active key set is 'key1'. This key will be used to generate sas tokens. Key Vault will regenerate 'key2' key after the regeneration period from the time of this command and set it as the active key. This auto regeneration process will continue between 'key1' and 'key2' with a gap of 90 days.

Example 2: Set a Classic Azure Storage Account with Key Vault to manage its keys

$regenerationPeriod = [System.Timespan]::FromDays(90)
Add-AzKeyVaultManagedStorageAccount -VaultName 'myvault' -AccountName 'mystorageaccount' -AccountResourceId '/subscriptions/<subscription id>/resourceGroups/myresourcegroup/providers/Microsoft.ClassicStorage/storageAccounts/mystorageaccount' -ActiveKeyName 'Primary' -RegenerationPeriod $regenerationPeriod

Id                  : https://myvault.vault.azure.net:443/storage/mystorageaccount
Vault Name          : myvault
AccountName         : mystorageaccount
Account Resource Id : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourceGroups/myvault/providers/Microsoft.Cl
                      assicStorage/storageAccounts/mystorageaccount
Active Key Name     : Primary
Auto Regenerate Key : True
Regeneration Period : 90.00:00:00
Enabled             : True
Created             : 5/21/2018 11:55:58 PM
Updated             : 5/21/2018 11:55:58 PM
Tags                :

Sets a Classic Storage Account with Key Vault for its keys to be managed by Key Vault. The active key set is 'Primary'. This key will be used to generate sas tokens. Key Vault will regenerate 'Secondary' key after the regeneration period from the time of this command and set it as the active key. This auto regeneration process will continue between 'Primary' and 'Secondary' with a gap of 90 days.

Parameters

-AccountName

Key Vault managed storage account name. Cmdlet constructs the FQDN of a managed storage account name from vault name, currently selected environment and manged storage account name.

Type:String
Aliases:StorageAccountName, Name
Position:1
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-AccountResourceId

Azure resource id of the storage account.

Type:String
Aliases:StorageAccountResourceId
Position:2
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ActiveKeyName

Name of the storage account key that must be used for generating sas tokens.

Type:String
Position:3
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with azure

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Disable

Disables the use of managed storage account's key for generation of sas tokens.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DisableAutoRegenerateKey

Auto regenerate key. If true, then the managed storage account's inactive key gets auto regenerated and becomes the new active key after the regeneration period. If false, then the keys of managed storage account are not auto regenerated.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-RegenerationPeriod

Regeneration period. If auto regenerate key is enabled, this value specifies the timespan after which managed storage account's inactive keygets auto regenerated and becomes the new active key.

Type:Nullable<T>[TimeSpan]
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-Tag

Key-value pairs in the form of a hash table. For example: @{key0="value0";key1=$null;key2="value2"}

Type:Hashtable
Aliases:Tags
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-VaultName

Vault name. Cmdlet constructs the FQDN of a vault based on the name and currently selected environment.

Type:String
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

Nullable<T>[[System.TimeSpan, System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]]

Hashtable

Outputs

PSKeyVaultManagedStorageAccount