[英]How to rotate keys for azure log analytics workspace
What is the recommended way of programmatically rotating keys for Azure Log Analytics Workspace?以编程方式轮换 Azure Log Analytics 工作区的密钥的推荐方法是什么?
The only described way I found was through REST API .我发现的唯一描述方式是通过REST API 。 However it does not seem to be working:
但是它似乎不起作用:
curl -X POST -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" -d "" https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}/listKeys?api-version=2015-03-20
curl -X POST -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" -d "" https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}/regenerateSharedKey?api-version=2015-03-20
The first call listing keys works without problems.第一个呼叫列表键可以正常工作。 The second, trying to rotate keys, fails with error message:
第二个尝试轮换密钥失败并显示错误消息:
{
"message": "No HTTP resource was found that matches the request URI 'https://opinsightsweuams.trafficmanager.net/api/subscriptions/XXXXX/resourcegroups/XXXXX/providers/Microsoft.OperationalInsights/workspaces/XXXXX/regenerateSharedKey?api-version=2015-03-20&contextId=XXXXX'."
}
Does this API still works?这个 API 还能用吗? Are there any other ways to rotate the keys?
还有其他方法可以旋转密钥吗?
Update 01/23: 01/23 更新:
I got the feedback from support team.我从支持团队那里得到了反馈。
The Regenerate Shared Keys api had a little changed previously, but the doc is not updated:(. Regenerate Shared Keys api之前略有变化,但文档没有更新:(。
You need to add the parameter keyType with value primarySharedKey or secondarySharedKey .您需要添加值为primarySharedKey或secondarySharedKey的参数keyType 。
The reason of the change: previously, when use the api to regenerate key, both the primary and secondary keys are regenerated together.变更原因:之前使用api重新生成key时,主副key是一起重新生成的。 So there is a user feedback that we should update the api and make it each time only re-generate one key.
所以有用户反馈说我们应该更新api,让每次只重新生成一个key。
I tested it, working fine.我测试过,工作正常。 The test screenshot as below:
测试截图如下:
Original:原来的:
The Regenerate Shared Keys api does not work now. 重新生成共享密钥 API现在不起作用。
The actual api used is as below:实际使用的api如下:
for re-regenerating primary key :重新生成主键:
https://www.mms.microsoft.com/Embedded/Api/arm/management/CustomerManagement/AgentRegenerateSharedKey?keyType=primarySharedKey
. https://www.mms.microsoft.com/Embedded/Api/arm/management/CustomerManagement/AgentRegenerateSharedKey?keyType=primarySharedKey
。
for for re-regenerating secondary key :用于重新生成二级密钥:
https://www.mms.microsoft.com/Embedded/Api/arm/management/CustomerManagement/AgentRegenerateSharedKey?keyType=secondarySharedKey
Here are the steps to check the api, and how to re-generate a new shared key.以下是检查 api 的步骤,以及如何重新生成新的共享密钥。
Step 1.Nav to azure portal -> your Log Analytics Workspace -> Advanced Settings -> Connected Sources -> Windows Servers, and press F12 button to check the actual request(I'm using Edge browser) -> then click the Regenerate
button for Primary Key.步骤 1.导航到 azure 门户 -> 您的 Log Analytics 工作区 -> 高级设置 -> 连接的源 -> Windows 服务器,然后按 F12 按钮检查实际请求(我使用的是 Edge 浏览器)-> 然后单击
Regenerate
按钮对于主键。 Screenshot as below(And as you can see from the screenshot, the actual request url is https://www.mms.microsoft.com/Embedded/Api/xxx
):截图如下(从截图中可以看出,实际的请求 url 是
https://www.mms.microsoft.com/Embedded/Api/xxx
):
Step 2.Since we know that the actual url, then how can we get the token? Step 2.既然我们知道了实际的url,那么我们如何获取token呢?
The simple way is that you can get the token from step 1, when view the quest details via F12 button, you can also find the token(it's temporary).简单的方法是你可以从步骤1中获得令牌,当通过F12按钮查看任务详细信息时,你也可以找到令牌(它是临时的)。
Another way is that, open visual studio -> login with you azure account -> create a console project -> then install the package Microsoft.Azure.Services.AppAuthentication .另一种方法是,打开 Visual Studio -> 使用您的 azure 帐户登录 -> 创建一个控制台项目 -> 然后安装包Microsoft.Azure.Services.AppAuthentication 。 Then write the following code in the console project:
然后在控制台项目中编写如下代码:
using Microsoft.Azure.Services.AppAuthentication;
using System;
namespace ConsoleApp17
{
class Program
{
static void Main(string[] args)
{
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = azureServiceTokenProvider.GetAccessTokenAsync("https://management.core.windows.net/").Result;
Console.WriteLine(accessToken);
Console.WriteLine("**completed**");
Console.ReadLine();
}
}
}
Step 3:After get the token, you can use the token to re-generate the Shared key. Step 3:拿到token后,可以使用token重新生成Shared key。
I did the test to re-generate primary key, and using the tool postman.我做了测试重新生成主键,并使用工具邮递员。
open postman, for headers and url , follow the screenshot below:打开邮递员,对于headers 和 url ,按照下面的截图:
for Body , follow the screenshot below:对于Body ,请按照以下屏幕截图操作:
At last, click the send button, you can see the reponse is 200 ok .最后点击发送按钮,可以看到回复是200 ok 。 And refresh the portal, you can see the new primary key is generated.
并刷新门户,可以看到新的主键生成了。
If you prefer to use curl or other programming language to do this, just follow the steps above, and provide proper request headers / token / request body
.如果您更喜欢使用 curl 或其他编程语言来执行此操作,只需按照上述步骤操作,并提供正确的
request headers / token / request body
。
Just to add to @ivan-yang solution, the way to achieve it with the curl is:只是添加到@ivan-yang 解决方案中,使用 curl 实现它的方法是:
RESP=`curl -X POST -d "grant_type=client_credentials&client_id=${servicePrincipalId}&client_secret=${servicePrincipalKey}&resource=https%3A%2F%2Fmanagement.azure.com%2F" https://login.microsoftonline.com/${TENANT_ID}/oauth2/token`
TOKEN=`echo ${RESP} | jq -r '.access_token'`
curl -X POST -H "x-ms-client-auth-token: Bearer ${TOKEN}" -H "Content-Type: application/json" \
-H "x-ms-client-workspace-name: ${LAW_NAME}" \
-H "x-ms-client-workspace-path: /subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}" \
-d "{\"workspacePath\":\"/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}\",\"data\":{}}" \
https://www.mms.microsoft.com/Embedded/Api/arm/management/CustomerManagement/AgentRegenerateSharedKey?keyType=secondarySharedKey
-- EDIT - 编辑
it is even easier with az rest command:使用 az rest 命令更容易:
az rest -m POST -u https://management.azure.com/subscriptions/${SUBSCRIPTION_ID}/resourcegroups/${RESOURCE_GROUP_NAME}/providers/Microsoft.OperationalInsights/workspaces/${LAW_NAME}/regenerateSharedKey?api-version=2015-03-20\&keyType=secondarySharedKey
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.