我正在使用以下PowerShell脚本,用于使用存储在Azure密钥库托管HSM中的客户托管密钥加密存储帐户。
$resourceGroupName='XXXX'
$storageAccountName='XXXX'
$hsmName='XXXX'
$storageEncryptionKey='XXXXX'
#Assign an identity to the storage account
az storage account update `
--name $storageAccountName `
--resource-group $resourceGroupName `
--assign-identity
#Assign a role to the storage account for access to the managed HSM
storage_account_principal = $(az storage account show `
--name $storageAccountName `
--resource-group $resourceGroupName `
--query identity.principalId `
--output tsv)
az keyvault role assignment create `
--hsm-name $hsmName `
--role "Managed HSM Crypto Service Encryption User" `
--assignee $storage_account_principal `
--scope /keys/XXXX
#Configure encryption with a key in the managed HSM
hsmurl = $(az keyvault show `
--hsm-name $hsmName `
--query properties.hsmUri `
--output tsv)
az storage account update `
--name $storageAccountName `
--resource-group $resourceGroupName `
--encryption-key-name 'XXXX' `
--encryption-key-source Microsoft.Keyvault `
--encryption-key-vault $hsmurl
以上脚本将适用于单个存储帐户。但我想使用相同的PowerShell脚本,为不同资源组中的多个存储帐户启用存储在Azure key Vault managed HSM中的客户管理密钥的加密。
如果我正确理解了你的问题,你只需要一个循环。(如果它们都在同一订阅中(。
您可以自己在列表中输入存储空间,也可以使用az-cli读取它们。
# Setup
$HsmName='XXXX'
$StorageEncryptionKey='XXXXX'
$StorageNames = @('Storage1','Storage2','Storage3')
# -----------------------------------------------------------
# Alternative 1: List Storages by name with az command
$Storages = @()
foreach($StorageName in $StorageNames) {
$Storages += (az storage account show -n $StorageName) | ConvertFrom-Json
}
# -----------------------------------------------------------
# Alternative 2: List Storages with az command
$Storages = (az storage account list | ConvertFrom-Json)
# Optional: You may filter the result with
$Storages = $Storages | Where-Object { $_.Name -eq "..." }
# -----------------------------------------------------------
# Act
foreach($Storage in $Storages) {
#Assign variables
$resourceGroupName= $Storage.ResourceGroup
$storageAccountName= $Storage.Name
#Assign an identity to the storage account
az storage account update `
--name $storageAccountName `
--resource-group $resourceGroupName `
--assign-identity
#Assign a role to the storage account for access to the managed HSM
storage_account_principal = $(az storage account show `
--name $storageAccountName `
--resource-group $resourceGroupName `
--query identity.principalId `
--output tsv)
az keyvault role assignment create `
--hsm-name $hsmName `
--role "Managed HSM Crypto Service Encryption User" `
--assignee $storage_account_principal `
--scope /keys/XXXX
#Configure encryption with a key in the managed HSM
hsmurl = $(az keyvault show `
--hsm-name $hsmName `
--query properties.hsmUri `
--output tsv)
az storage account update `
--name $storageAccountName `
--resource-group $resourceGroupName `
--encryption-key-name 'XXXX' `
--encryption-key-source Microsoft.Keyvault `
--encryption-key-vault $hsmurl
}