使用 Azure 门户分配 Key Vault 访问策略Assign a Key Vault access policy using the Azure portal

Key Vault 访问策略确定给定的服务主体(即应用程序或用户组)是否可以对 Key Vault 机密密钥证书执行不同的操作。A Key Vault access policy determines whether a given service principal, namely an application or user group, can perform different operations on Key Vault secrets, keys, and certificates. 可以使用 Azure 门户(本文)、Azure CLIAzure PowerShell 来分配访问策略。You can assign access policies using the Azure portal (this article), the Azure CLI, or Azure PowerShell.

Key Vault 最多支持 1024 个访问策略条目,每个条目可向特定安全主体授予一组不同的权限。Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal. 由于此限制,建议你尽可能将访问策略分配给用户组,而不是单个用户。Because of this limitation, we recommend assigning access policies to groups of users, where possible, rather than individual users. 使用组来管理组织中多个人员的权限要轻松得多。Using groups makes it much easier to manage permissions for multiple people in your organization. 有关详细信息,请参阅使用 Azure Active Directory 组管理应用和资源访问For more information, see Manage app and resource access using Azure Active Directory groups

有关 Key Vault 访问控制的完整详细信息,请参阅 Azure Key Vault 安全性:标识和访问管理For full details on Key Vault access control, see Azure Key Vault security: Identity and access management.

若要详细了解如何通过 Azure 门户在 Azure Active Directory 中创建组,请参阅创建基本组并添加成员For more information on creating groups in Azure Active Directory through the Azure portal, see Create a basic group and add members

分配访问策略Assign an access policy

  1. Azure 门户中,导航到 Key Vault 资源。In the Azure portal, navigate to the Key Vault resource.

  2. 在“设置”下,选择“访问策略”,然后选择“添加访问策略” :Under Settings, select Access policies, then select Add Access Policy:

    选择“访问策略”,选择“添加角色分配”

  3. 在“证书权限”、“密钥权限”和“机密权限”下选择所需要的权限 。Select the permissions you want under Certificate permissions, Key permissions, and Secret permissions. 也可以选择包含常见权限组合的模板:You can also select a template that contains common permission combinations:

    指定访问策略权限

  4. 在“选择主体”下,选择“未选择任何项”链接,以打开“主体”选择窗格 。Under Select principal, choose the None selected link to open the Principal selection pane. 在搜索字段中输入应用或服务主体的名称,选择相应的结果,然后选择“选择”。Enter the name of the app or service principal in the search field, select the appropriate result, then choose Select.

    为该访问策略选择服务主体

    如果使用的是应用的托管标识,请搜索并选择该应用本身的名称。If you're using a managed identity for the app, search for and select the name of the app itself. (若要详细了解托管标识和服务主体,请参阅 Key Vault 身份验证 - 应用标识和服务主体。)(For more information on managed identity and service principals, see Key Vault authentication - app identity and service principals.)

  5. 返回“添加访问策略”窗格,选择“添加”以保存该访问策略 。Back in the Add access policy pane, select Add to save the access policy.

    添加分配了服务主体的访问策略

  6. 返回“访问策略”页,验证“当前访问策略”下是否已列出你的访问策略,然后选择“保存” 。Back on the Access policies page, verify that your access policy is listed under Current Access Policies, then select Save. 访问策略在保存之后才会应用。Access policies aren't applied until you save them.

    保存访问策略更改

后续步骤Next steps