分配 Key Vault 访问策略Assign a Key Vault access policy

Key Vault 访问策略确定给定的服务主体(即应用程序或用户组)是否可以对 Key Vault 机密密钥证书执行不同的操作。A Key Vault access policy determines whether a given service principal, namely an application or user group, can perform different operations on Key Vault secrets, keys, and certificates. 可以使用 Azure 门户、Azure CLI(本文)或 Azure PowerShell 来分配访问策略。You can assign access policies using the Azure portal, the Azure CLI (this article), or Azure PowerShell.

Key Vault 最多支持 1024 个访问策略条目,每个条目可向特定安全主体授予一组不同的权限。Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal. 由于此限制,建议你尽可能将访问策略分配给用户组,而不是单个用户。Because of this limitation, we recommend assigning access policies to groups of users, where possible, rather than individual users. 使用组来管理组织中多个人员的权限要轻松得多。Using groups makes it much easier to manage permissions for multiple people in your organization. 有关详细信息,请参阅使用 Azure Active Directory 组管理应用和资源访问For more information, see Manage app and resource access using Azure Active Directory groups

有关 Key Vault 访问控制的完整详细信息,请参阅 Azure Key Vault 安全性:标识和访问管理For full details on Key Vault access control, see Azure Key Vault security: Identity and access management.

若要详细了解如何使用 Azure CLI 在 Azure Active Directory 中创建组,请参阅 az ad group createaz ad group member addFor more information on creating groups in Azure Active Directory using the Azure CLI, see az ad group create and az ad group member add.

配置 Azure CLI 并登录Configure the Azure CLI and sign in

  1. 若要在本地运行 Azure CLI 命令,请安装 Azure CLITo run Azure CLI commands locally, install the Azure CLI.

  2. 仅限本地 CLI:使用 az login 登录到 Azure:Local CLI only: sign in to Azure using az login:

    az cloud set -n AzureChinaCloud
    az login
    

    az login 命令会打开浏览器窗口来收集凭据(如果需要)。The az login command opens a browser window to gather credentials if needed.

获取对象 IDAcquire the object ID

确定要为其分配访问策略的应用程序、组或用户的对象 ID:Determine the object ID of the application, group, or user to which you want to assign the access policy:

  • 应用程序和其他服务主体:请使用 az ad sp list 命令来检索服务主体。Applications and other service principals: use the az ad sp list command to retrieve your service principals. 请检查命令的输出,以确定要为其分配访问策略的安全主体的对象 ID。Examine the output of the command to determine the object ID of the security principal to which you want to assign the access policy.

    az ad sp list --show-mine
    
  • 组:请使用 az ad group list 命令,并通过 --display-name 参数筛选结果:Groups: use the az ad group list command, filtering the results with the --display-name parameter:

    az ad group list --display-name <search-string>
    
  • 用户:请使用 az ad user show 命令,并在 --id 参数中传递用户的电子邮件地址:Users: use the az ad user show command, passing the user's email address in the --id parameter:

    az ad user show --id <email-address-of-user>
    

分配访问策略Assign the access policy

使用 az keyvault set-policy 命令来分配所需的权限:Use the az keyvault set-policy command to assign the desired permissions:

az keyvault set-policy --name myKeyVault --object-id <object-id> --secret-permissions <secret-permissions> --key-permissions <key-permissions> --certificate-permissions <certificate-permissions>

<object-id> 替换为服务主体的对象 ID。Replace <object-id> with the object ID of your service principal.

为这些特定类型分配权限时,只需包括 --secret-permissions--key-permissions--certificate-permissionsYou need only include --secret-permissions, --key-permissions, and --certificate-permissions when assigning permissions to those particular types. az keyvault set-policy 文档中提供了 <secret-permissions><key-permissions><certificate-permissions> 的允许值。The allowable values for <secret-permissions>, <key-permissions>, and <certificate-permissions> are given in the az keyvault set-policy documentation.

后续步骤Next steps