如何将一个订阅下的一个 azure 租户(帐户)keyvault 中的密钥共享到另一个订阅中的另一个 azure 租户(帐户)keyvault
[英]How to share a key from one azure tenant(account) keyvault under one subscription to another azure tenant(account) keyvault in another subscription
问题描述
2 different tenants (Subscription A in tenant A and Subscription B in tenant B) 
2 个不同的租户(租户 A 中的订阅 A 和租户 B 中的订阅 B)
We have one subscription in Azure cloud and we have setup Azure Keyvault.我们在 Azure 云中有一个订阅,我们已经设置了 Azure Keyvault。 We can create keys there and use one of the key to encrypt disks of a virtual machine running in our subscription.我们可以在那里创建密钥并使用其中一个密钥来加密在我们的订阅中运行的虚拟机的磁盘。
Our customer has their own Azure cloud subscription and for security and compliance purposes their requirement is that they must hold control of the key being used to encrypt disks of virtual machine in our subscription.我们的客户有自己的 Azure 云订阅,出于安全性和合规性目的,他们的要求是他们必须控制用于加密我们订阅中虚拟机磁盘的密钥。 For this we both have Azure keyvault with Premium tier and I was wondering if there is any guide which points out how to use Azure KeyVault HSM from Customer's subscription to create keys in to our subscription.为此,我们都有带高级层的 Azure keyvault,我想知道是否有任何指南指出如何使用客户订阅中的 Azure KeyVault HSM 来创建我们订阅的密钥。
https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/hsm-protected-keys-byok https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/hsm-protected-keys-byok
The above guide points out some of the vendors and how to use BYOK tool to transfer keys from HSM into Azure Keyvault.上面的指南指出了一些供应商以及如何使用 BYOK 工具将密钥从 HSM 传输到 Azure Keyvault。
We are looking for a way to use Azure KeyVault HSM from Customer's subscription to create keys in to our Azure Keyvault and which we can use to encrypt disks in our subscription.我们正在寻找一种方法来使用客户订阅中的 Azure KeyVault HSM 为我们的 Azure Keyvault 创建密钥,我们可以使用它来加密订阅中的磁盘。
Many thanks,非常感谢,
2 个解决方案
解决方案1
0 2022-02-21 10:55:58
If you have the permissions to access the two subscriptions, you can create an Azure Management Group to manager the access of the subscriptions into this Management Group.如果你有访问这两个订阅的权限,你可以创建一个Azure管理组来管理订阅对这个管理组的访问。
For more details, you can see the document about " Management Groups ".更多详细信息,请参阅“ 管理组”文档。
解决方案2
0 已采纳 2022-03-16 00:02:44
Answering for my own question as I have received an official response from Microsoft.回答我自己的问题,因为我收到了微软的官方回复。
It looks like this is currently not supported.看起来目前不支持此功能。 Please find below the link for more details on this.请在下面的链接中找到有关此的更多详细信息。
https://learn.microsoft.com/en-us/answers/questions/743730/how-to-share-a-key-from-one-azure-keyvault-under-a.html?childToView=751516#answer-751516 https://learn.microsoft.com/en-us/answers/questions/743730/how-to-share-a-key-from-one-azure-keyvault-under-a.html?childToView=751516#answer- 751516
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.