从密钥库向 Azure APIM 添加证书
Adding certificate to Azure APIM from keyvault
在 Azure API 管理中,有一个选项可以通过引用密钥库中的证书从门户添加证书:
是否可以使用 az cli、powershell 或 terraform 执行此操作?
我查看了文档,发现的唯一示例(包括 Terraform)似乎涉及上传证书字节的副本,而不是引用它。我希望能够引用它,以便 APIM 将在证书更改时自动重新加载。
我已经阅读了官方 Azure CLI 和 Azure PowerShell APIM 参考,正如您所说,它们没有提供从 keyVault 设置证书参考的方法。但我认为我们可以从 keyVault 导出 .pfx 并将其导入 APIM 作为解决方法。只需尝试 PS 命令:
$apimName = ""
$apimSresourceGroup = ""
$keyVaultName = ""
$certName = ""
$password = ""
#export pfx
$cert = Get-AzKeyVaultCertificate -VaultName $keyVaultName -Name $certName
$secret = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $cert.Name
$secretByte = [Convert]::FromBase64String($secret.SecretValueText)
$x509Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($secretByte, "", "Exportable,PersistKeySet")
$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx
$pfxFileByte = $x509Cert.Export($type, $password)
#import to APIM
$apim_context = New-AzApiManagementContext -ResourceGroupName $apimSresourceGroup -ServiceName $apimName
New-AzApiManagementCertificate -Context $apim_context -CertificateId 'testcert' -PfxBytes $pfxFileByte -PfxPassword $password
结果:
您可以直接从 Azure CLI 调用 API Management REST API:
az rest --method put --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/certificates/{certificateId}?api-version=2020-06-01-preview" --body @body.json
其中 this describes the URI parameters and the file body.json would reflect the request body defined here:
{
"properties": {
"keyVault": {
"identityClientId": "{SystemAssignedIdentity or UserAssignedIdentity Client Id which will be used to access key vault secret.}",
"secretIdentifier" : "{Key vault secret identifier for fetching secret. Providing a versioned secret will prevent auto-refresh. This requires Api Management service to be configured with aka.ms/apimmsi}"
}
}
}
在 Azure API 管理中,有一个选项可以通过引用密钥库中的证书从门户添加证书:
是否可以使用 az cli、powershell 或 terraform 执行此操作?
我查看了文档,发现的唯一示例(包括 Terraform)似乎涉及上传证书字节的副本,而不是引用它。我希望能够引用它,以便 APIM 将在证书更改时自动重新加载。
我已经阅读了官方 Azure CLI 和 Azure PowerShell APIM 参考,正如您所说,它们没有提供从 keyVault 设置证书参考的方法。但我认为我们可以从 keyVault 导出 .pfx 并将其导入 APIM 作为解决方法。只需尝试 PS 命令:
$apimName = ""
$apimSresourceGroup = ""
$keyVaultName = ""
$certName = ""
$password = ""
#export pfx
$cert = Get-AzKeyVaultCertificate -VaultName $keyVaultName -Name $certName
$secret = Get-AzKeyVaultSecret -VaultName $keyVaultName -Name $cert.Name
$secretByte = [Convert]::FromBase64String($secret.SecretValueText)
$x509Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($secretByte, "", "Exportable,PersistKeySet")
$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::Pfx
$pfxFileByte = $x509Cert.Export($type, $password)
#import to APIM
$apim_context = New-AzApiManagementContext -ResourceGroupName $apimSresourceGroup -ServiceName $apimName
New-AzApiManagementCertificate -Context $apim_context -CertificateId 'testcert' -PfxBytes $pfxFileByte -PfxPassword $password
结果:
您可以直接从 Azure CLI 调用 API Management REST API:
az rest --method put --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/certificates/{certificateId}?api-version=2020-06-01-preview" --body @body.json
其中 this describes the URI parameters and the file body.json would reflect the request body defined here:
{
"properties": {
"keyVault": {
"identityClientId": "{SystemAssignedIdentity or UserAssignedIdentity Client Id which will be used to access key vault secret.}",
"secretIdentifier" : "{Key vault secret identifier for fetching secret. Providing a versioned secret will prevent auto-refresh. This requires Api Management service to be configured with aka.ms/apimmsi}"
}
}
}