使用 Azure PowerShell 分配 Key Vault 访问策略Assign a Key Vault access policy using Azure PowerShell

Key Vault 访问策略确定给定的服务主体(即应用程序或用户组)是否可以对 Key Vault 机密密钥证书执行不同的操作。A Key Vault access policy determines whether a given service principal, namely an application or user group, can perform different operations on Key Vault secrets, keys, and certificates. 可以使用 Azure 门户Azure CLI 或 Azure PowerShell(本文)来分配访问策略。You can assign access policies using the Azure portal, the Azure CLI, or Azure PowerShell (this article).

Key Vault 最多支持 1024 个访问策略条目,每个条目可向特定安全主体授予一组不同的权限。Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal. 由于此限制,建议你尽可能将访问策略分配给用户组,而不是单个用户。Because of this limitation, we recommend assigning access policies to groups of users, where possible, rather than individual users. 使用组来管理组织中多个人员的权限要轻松得多。Using groups makes it much easier to manage permissions for multiple people in your organization. 有关详细信息,请参阅使用 Azure Active Directory 组管理应用和资源访问For more information, see Manage app and resource access using Azure Active Directory groups

有关 Key Vault 访问控制的完整详细信息,请参阅 Azure Key Vault 安全性:标识和访问管理For full details on Key Vault access control, see Azure Key Vault security: Identity and access management.

若要详细了解如何使用 Azure PowerShell 在 Azure Active Directory 中创建组,请参阅 New-AzureADGroupAdd-AzADGroupMemberFor more information on creating groups in Azure Active Directory using Azure PowerShell, see New-AzureADGroup and Add-AzADGroupMember.

配置 PowerShell 并登录Configure PowerShell and sign-in

  1. 若要在本地运行命令,请安装 Azure PowerShell(如果尚未这样做)。To run commands locally, install Azure PowerShell if you haven't already.

  2. 仅限本地 PowerShell:Local PowerShell only:

    1. 安装 Azure Active Directory PowerShell 模块Install the Azure Active Directory PowerShell module.

    2. 登录 Azure:Sign in to Azure:

      Login-AzAccount
      

获取对象 IDAcquire the object ID

确定要为其分配访问策略的应用程序、组或用户的对象 ID:Determine the object ID of the application, group, or user to which you want to assign the access policy:

  • 应用程序和其他服务主体:使用带有 -SearchString 参数的 Get-AzADServicePrincipal cmdlet 根据所需服务主体的名称筛选结果:Applications and other service principals: use the Get-AzADServicePrincipal cmdlet with the -SearchString parameter to filter results to the name of the desired service principal:

    Get-AzADServicePrincipal -SearchString <search-string>
    
  • 组:使用带有 -SearchString 参数的 Get-AzADGroup cmdlet 根据所需组的名称筛选结果:Groups: use the Get-AzADGroup cmdlet with the -SearchString parameter to filter results to the name of the desired group:

    Get-AzADGroup -SearchString <search-string>
    

    在输出中,对象 ID 将作为 Id 列出。In the output, the object ID is listed as Id.

  • 用户:使用 Get-AzADUser cmdlet,将用户的电子邮件地址传递给 -UserPrincipalName 参数。Users: use the Get-AzADUser cmdlet, passing the user's email address to the -UserPrincipalName parameter.

     Get-AzAdUser -UserPrincipalName <email-address-of-user>
    

    在输出中,对象 ID 将作为 Id 列出。In the output, the object ID is listed as Id.

分配访问策略Assign the access policy

使用 Set-AzKeyVaultAccessPolicy cmdlet 分配访问策略:Use the Set-AzKeyVaultAccessPolicy cmdlet to assign the access policy:

Set-AzKeyVaultAccessPolicy -VaultName <key-vault-name> -ObjectId <Id> -PermissionsToSecrets <secrets-permissions> -PermissionsToKeys <keys-permissions> -PermissionsToCertificates <certificate-permissions    

为这些特定类型分配权限时,只需提供 -PermissionsToSecrets-PermissionsToKeys-PermissionsToCertificatesYou need only include -PermissionsToSecrets, -PermissionsToKeys, and -PermissionsToCertificates when assigning permissions to those particular types. <secret-permissions><key-permissions><certificate-permissions> 的允许值在 Set-AzKeyVaultAccessPolicy - 参数文档中提供。The allowable values for <secret-permissions>, <key-permissions>, and <certificate-permissions> are given in the Set-AzKeyVaultAccessPolicy - Parameters documentation.

后续步骤Next steps