Azure Key Vault 中的身份验证Authentication in Azure Key Vault

使用密钥保管库进行的身份验证可与 Azure Active Directory (Azure AD) 结合使用,后者负责对任何给定安全主体的标识进行身份验证。Authentication with Key Vault works in conjunction with Azure Active Directory (Azure AD), which is responsible for authenticating the identity of any given security principal.

安全主体是一个对象,表示请求访问 Azure 资源的用户、组、服务或应用程序。A security principal is an object that represents a user, group, service, or application that's requesting access to Azure resources. Azure 为每个安全主体分配唯一的对象 ID。Azure assigns a unique object ID to every security principal.

  • 用户安全主体标识在 Azure Active Directory 中具有配置文件的个人。A user security principal identifies an individual who has a profile in Azure Active Directory.

  • 组安全主体标识在 Azure Active Directory 中创建的一组用户。A group security principal identifies a set of users created in Azure Active Directory. 分配给组的任何角色或权限都将授予组内的所有用户。Any roles or permissions assigned to the group are granted to all of the users within the group.

  • 服务主体是一类安全主体,它标识应用程序或服务,即一段代码,而不是用户或组。A service principal is a type of security principal that identities an application or service, which is to say, a piece of code rather than a user or group. 服务主体的对象 ID 称为其客户端 ID,作用类似于其用户名。A service principal's object ID is known as its client ID and acts like its username. 服务主体的客户端密码的作用类似于其密码。The service principal's client secret acts like its password.

对于应用程序,有两种获取服务主体的方法:For applications, there are two ways to obtain a service principal:

  • 建议:为应用程序启用系统分配的托管标识。Recommended: enable a system-assigned managed identity for the application.

    借助托管标识,Azure 在内部管理应用程序的服务主体,并自动通过其他 Azure 服务对应用程序进行身份验证。With managed identity, Azure internally manages the application's service principal and automatically authenticates the application with other Azure services. 托管标识可用于部署到各种服务的应用程序。Managed identity is available for applications deployed to a variety of services.

    有关详细信息,请参阅托管标识概述For more information, see the Managed identity overview. 另请参阅支持托管标识的 Azure 服务,其链接到介绍如何为特定服务(例如应用服务、Azure Functions、虚拟机等)启用托管标识的文章。Also see Azure services that support managed identity, which links to articles that describe how to enable managed identity for specific services (such as App Service, Azure Functions, Virtual Machines, etc.).

  • 如果不能使用托管标识,请改为将应用程序注册到 Azure AD 租户,如快速入门:将应用程序注册到 Azure 标识平台中所述。If you cannot use managed identity, you instead register the application with your Azure AD tenant, as described on Quickstart: Register an application with the Azure identity platform. 注册操作还会创建第二个应用程序对象,该对象在所有租户中标识该应用。Registration also creates a second application object that identifies the app across all tenants.

配置密钥保管库防火墙Configure the Key Vault firewall

默认情况下,密钥保管库允许通过公共 IP 地址访问资源。By default, Key Vault allows access to resources through public IP addresses. 为了提高安全性,还可以限制对特定 IP 范围、服务终结点、虚拟网络或专用终结点的访问。For greater security, you can also restrict access to specific IP ranges, service endpoints, virtual networks, or private endpoints.

有关详细信息,请参阅访问防火墙保护下的 Azure 密钥保管库For more information, see Access Azure Key Vault behind a firewall.

带有身份验证的 Key Vault 请求操作流The Key Vault request operation flow with authentication

Key Vault 身份验证是 Key Vault 上的每个请求操作的一部分。Key Vault authentication occurs as part of every request operation on Key Vault. 检索令牌后,可将其重用于后续调用。Once token is retrieved, it can be reused for subsequent calls. 身份验证流示例:Authentication flow example:

  1. 令牌请求使用 Azure AD 进行身份验证,例如:A token requests to authenticate with Azure AD, for example:

    • Azure 资源(例如具有托管标识的虚拟机或应用服务应用程序)与 REST 终结点联系以获取访问令牌。An Azure resource such as a virtual machine or App Service application with a managed identity contacts the REST endpoint to get an access token.
    • 用户使用用户名和密码登录到 Azure 门户。A user logs into the Azure portal using a username and password.
  2. 如果使用 Azure AD 成功进行身份验证,则将向安全主体授予 OAuth 令牌。If authentication with Azure AD is successful, the security principal is granted an OAuth token.

  3. 通过 Key Vault 的终结点 (URI) 对 Key Vault REST API 的调用。A call to the Key Vault REST API through the Key Vault's endpoint (URI).

  4. 密钥保管库防火墙会检查以下条件。Key Vault Firewall checks the following criteria. 如果满足任何条件,则允许调用。If any criterion is met, the call is allowed. 否则,调用将被阻止并返回禁止访问响应。Otherwise the call is blocked and a forbidden response is returned.

    • 防火墙已禁用,并且可以从公共 Internet 访问密钥保管库的公共终结点。The firewall is disabled and the public endpoint of Key Vault is reachable from the public internet.
    • 调用方是密钥保管库受信任的服务,因此允许其绕过防火墙。The caller is a Key Vault Trusted Service, allowing it to bypass the firewall.
    • 调用方按 IP 地址、虚拟网络或服务终结点在防火墙中列出。The caller is listed in the firewall by IP address, virtual network, or service endpoint.
    • 调用方可以通过配置的专用链接连接访问密钥保管库。The caller can reach Key Vault over a configured private link connection.
  5. 如果防火墙允许该调用,则 Key Vault 会调用 Azure AD 来验证安全主体的访问令牌。If the firewall allows the call, Key Vault calls Azure AD to validate the security principal’s access token.

  6. Key Vault 会检查安全主体是否对请求的操作具有所需的权限。Key Vault checks if the security principal has the necessary permission for requested operation. 如果没有,则密钥保管库会返回禁止访问响应。If not, Key Vault returns a forbidden response.

  7. 密钥保管库会执行请求的操作并返回结果。Key Vault carries out the requested operation and returns the result.

下面的关系图说明应用程序调用密钥保管库“获取机密”API 的过程:The following diagram illustrates the process for an application calling a Key Vault "Get Secret" API:

Azure 密钥保管库身份验证流

备注

Key Vault SDK 用于机密、证书和密钥的客户端在没有访问令牌的情况下对 Key Vault 进行了额外的调用,这导致 401 响应来检索租户信息。Key Vault SDK clients for secrets, certificates, and keys make an additional call to Key Vault without access token, which results in 401 response to retrieve tenant information. 有关详细信息,请参阅身份验证、请求和响应For more information see Authentication, requests and responses

通过应用程序代码对 Key Vault 进行身份验证Authentication to Key Vault in application code

Key Vault SDK 使用 Azure 标识客户端库,这允许使用相同代码跨环境对 Key Vault 进行无缝身份验证Key Vault SDK is using Azure Identity client library, which allows seamless authentication to Key Vault across environments with same code

Azure 标识客户端库Azure Identity client libraries

.NET.NET PythonPython JavaJava JavaScriptJavaScript
Azure 标识 SDK .NETAzure Identity SDK .NET Azure 标识 SDK PythonAzure Identity SDK Python Azure 标识 SDK JavaAzure Identity SDK Java Azure 标识 SDK JavaScriptAzure Identity SDK JavaScript

有关最佳做法和开发人员示例的详细信息,请参阅在代码中对 Key Vault 进行身份验证More information about best practices and developer examples, see Authenticate to Key Vault in code

后续步骤Next Steps