保护托管标识Securing managed identities

开发人员通常面临如何管理密码和凭据,以确保不同服务之间的通信安全的挑战。Developers are often challenged by the management of secrets and credentials used to secure communication between different services. 托管标识是安全的 Azure Active Directory (Azure AD) 标识,创建的目的是为 Azure 资源提供标识。Managed identities are secure Azure Active Directory (Azure AD) identities created to provide identities for Azure resources.

对 Azure 资源使用托管标识的优势Benefits of using managed identities for Azure resources

使用托管标识的优势如下:The following are benefits of using managed identities:

  • 你无需管理凭据,You don't need to manage credentials. 使用托管标识时,凭据完全受 Azure 管理、轮换和保护。With managed identities, credentials are fully managed, rotated, and protected by Azure. 标识将自动提供,并与 Azure 资源一起删除。Identities are automatically provided and deleted with Azure resources. 托管标识使 Azure 资源可以与支持 Azure AD 身份验证的所有服务进行通信。Managed identities enable Azure resources to communicate with all services that support Azure AD authentication.

  • 任何人(包括任何全局管理员)都无权访问凭据,因此凭据不会被意外泄露,例如,包含在代码中。No one (including any Global admin) has access to the credentials, so they cannot be accidentally leaked by, for example, being included in code.

何时使用托管标识?When to use managed identities?

托管标识最好用于在支持 Azure AD 身份验证的服务之间通信。Managed identities are best used for communications among services that support Azure AD authentication.

源系统请求访问目标服务。A source system requests access to a target service. 任何 Azure 资源都可以是源系统。Any Azure resource can be a source system. 例如,Azure VM、Azure Function 实例和 Azure 应用服务实例支持托管标识。For example, an Azure VM, Azure Function instance, and Azure App Services instances support managed identities.

身份验证和授权的工作原理How authentication and authorization work

使用托管标识时,源系统可以从 Azure AD 获取令牌,而无需源所有者管理凭据。With managed identities the source system can obtain a token from Azure AD without the source owner having to manage credentials. Azure 管理凭据。Azure manages the credentials. 源系统获取的令牌将提供给目标系统进行身份验证。The token obtained by the source system is presented to the target system for authentication.

目标系统需要对源系统进行身份验证(确定身份)和授权之后才允许访问。The target system needs to authenticate (identify) and authorize the source system before allowing access. 当目标服务支持基于 Azure AD 的身份验证时,它将接受 Azure AD 颁发的访问令牌。When the target service supports Azure AD-based authentication it accepts an access token issued by Azure AD.

Azure 具有控制平面和数据平面。Azure has a control plane and a data plane. 在控制平面中可以创建资源,在数据平面中可以访问这些资源。In the control plane, you create resources, and in the data plane you access them. 例如,在控制平面中创建 Cosmos 数据库,但在数据平面中进行查询。For example, you create a Cosmos database in the control plane, but query it in the data plane.

目标系统接受用于身份验证的令牌后,可以支持控制平面和数据平面的不同授权机制。Once the target system accepts the token for authentication, it can support different mechanisms for authorization for its control plane and data plane.

Azure 的所有控制平面操作都由 Azure 资源管理器管理,并使用基于 Azure 角色的访问控制All of Azure’s control plane operations are managed by Azure Resource Manager and use Azure Role Based Access Control. 在数据平面中,每个目标系统都有自己的授权机制。In the data plane,, each target system has its own authorization mechanism. Azure 存储在数据平面上支持 Azure RBAC。Azure Storage supports Azure RBAC on the data plane. 例如,使用 Azure 应用服务的应用程序可以从 Azure 存储读取数据,使用 Azure Kubernetes 服务的应用程序可以读取存储在 Azure Key Vault 中的机密。For example, applications using Azure App Services can read data from Azure Storage, and applications using Azure Kubernetes Service can read secrets stored in Azure Key Vault.

有关控制平面和数据平面的详细信息,请参阅控制平面和数据平面操作 - Azure 资源管理器For more information about control and data planes, see Control plane and data plane operations - Azure Resource Manager.

所有 Azure 服务最终将支持托管标识。All Azure services will eventually support managed identities. 有关详细信息,请参阅支持 Azure 资源托管标识的服务For more information, see Services that support managed identities for Azure resources.

托管标识类型Types of managed identities

有两种类型的托管标识:系统分配的托管标识和用户分配的托管标识。There are two types of managed identities—system-assigned and user-assigned.

系统分配的托管标识具有以下属性:System-assigned managed identity has the following properties:

  • 它们与 Azure 资源之间为 1:1 关系。They have 1:1 relationship with the Azure resource. 例如,每个 VM 关联一个唯一的托管标识。For example, there's a unique managed identity associated with each VM.

  • 它们与 Azure 资源的生命周期相关联。They are tied to the lifecycle of Azure resources. 删除资源时,与之关联的托管标识会自动删除,从而消除了与孤立帐户关联的风险。When the resource is deleted, the managed identity associated with it's automatically deleted, eliminating the risk associated with orphaned accounts.

用户分配的托管标识具有以下属性:User-assigned managed identities have the following properties:

  • 这些标识的生命周期独立于 Azure 资源,你必须管理生命周期。The lifecycle of these identities is independent of an Azure resource, and you must manage the lifecycle. 删除 Azure 资源时,用户分配的托管标识不会自动删除。When the Azure resource is deleted, the assigned user-assigned managed identity is not automatically deleted for you.

  • 可以将单个用户分配的托管标识分配给零个或多个 Azure 资源。A single user-assigned managed identity can be assigned to zero or more Azure resources.

  • 可以提前创建这些托管标识,然后分配给资源。They can be created ahead of time and then assigned to a resource.

在 Azure AD 中查找托管标识服务主体Find managed identity service principals in Azure AD

可以通过多种方式来查找托管标识:There are several ways in which you can find managed identities:

  • 使用 Azure 门户中的“企业应用程序”页Using the Enterprise Applications page in the Azure portal

  • 使用 Microsoft GraphUsing Microsoft Graph

使用 Azure 门户Using the Azure portal

  1. 在 Azure AD 中,选择“企业应用程序”。In Azure AD, select Enterprise application.

  2. 选择“托管标识”筛选器。Select the filter for “Managed Identities”

    “所有应用程序”屏幕图,其中“应用程序类型”下拉列表中突出显示“托管标识”。

使用 Microsoft GraphUsing Microsoft Graph

你可以使用向 Microsoft Graph 发出的以下 GET 请求来获取租户中所有托管标识的列表:You can get a list of all managed identities in your tenant with the following GET request to Microsoft Graph:

https://microsoftgraph.chinacloudapi.cn/v1.0/servicePrincipals?$filter=(servicePrincipalType eq 'ManagedIdentity')

可以对这些请求进行筛选。You can filter these requests. 有关详细信息,请参阅 Graph 文档中的 GET servicePrincipalFor more information, see the Graph documentation for GET servicePrincipal.

评估托管标识的安全性Assess the security of managed identities

可以通过以下方式评估托管标识的安全性:You can assess the security of managed identities in the following ways:

  • 检查特权并确保选择最小特权模型。Examine privileges and ensure that the least privileged model is selected. 使用以下 PowerShell cmdlet 获取分配给托管标识的权限。Use the following PowerShell cmdlet to get the permissions assigned to your managed identities.

    Get-AzureADServicePrincipal | % { Get-AzureADServiceAppRoleAssignment -ObjectId $_ }

  • 确保托管标识不属于任何特权组(如管理员组)。Ensure the managed identity is not part of any privileged groups, such as an administrators group.
    ‎可以通过使用 PowerShell 枚举具有高特权的组的成员来实现此目的。‎You can do this by enumerating the members of your highly privileged groups with PowerShell.

    Get-AzureADGroupMember -ObjectId <String> [-All <Boolean>] [-Top <Int32>] [<CommonParameters>]

  • 确保你了解托管标识正在访问哪些资源Ensure you know what resources the managed identity is accessing.

移动到托管标识Move to managed identities

如果你使用的是服务主体或 Azure AD 用户帐户,请评估是否可以改用托管标识,这样即无需保护、轮换和管理凭据。If you are using a service principal or an Azure AD user account, evaluate if you can instead use a managed to eliminate the need to protect, rotate, and manage credentials.

后续步骤Next steps

有关创建托管标识的信息,请参阅:For information on creating managed identities, see:

创建用户分配的托管标识Create a user assigned managed identity.

在资源创建过程中启用系统分配的托管标识Enable a system assigned managed identity during resource creation

在现有资源上启用系统分配的托管标识Enable system assigned managed identity on an existing resource

有关服务帐户的详细信息,请参阅:For more information on service accounts see:

Azure Active Directory 服务帐户简介Introduction to Azure Active Directory service accounts

保护服务主体Securing service principals

管控 Azure 服务帐户Governing Azure service accounts

本地服务帐户简介Introduction to on-premises service accounts