Key Vault 身份验证基础知识Key Vault Authentication Fundamentals

使用 Azure Key Vault,你可以在一个集中且安全的云存储库中安全地存储和管理应用程序凭据(例如机密、密钥和证书)。Azure Key Vault allows you to securely store and manage application credentials such as secrets, keys, and certificates in a central and secure cloud repository. 使用 Key Vault,无需在应用程序中存储凭据。Key Vault eliminates the need to store credentials in your applications. 应用程序可以在运行时向 Key Vault 进行身份验证,以检索凭据。Your applications can authenticate to Key Vault at run time to retrieve credentials.

作为管理员,你可以严格控制哪些用户和应用程序可以访问你的密钥保管库,并且可以限制和审核他们执行的操作。As an administrator, you can tightly control which users and applications can access your key vault and you can limit and audit the operations they perform. 本文档介绍了密钥保管库访问模型的基本概念。This document explains the fundamental concepts of the key vault access model. 它将提供入门级知识,并从头到尾地展示如何向密钥库证明用户或应用程序的身份。It will and provide you with an introductory level of knowledge and show you how you can authenticate a user or application to key vault from start to finish.

必备知识Required Knowledge

本文档假定你熟悉以下概念。This document assumes you are familiar with the following concepts. 如果你不熟悉其中的任何概念,请在继续操作之前单击帮助链接。If you are not familiar with any of these concepts, follow the help links before proceeding.

  • Azure Active Directory 链接Azure Active Directory link
  • 安全主体 链接Security Principals link

密钥保管库配置步骤摘要Key Vault Configuration Steps Summary

  1. 在 Azure Active Directory 中将你的用户或应用程序注册为安全主体。Register your user or application in Azure Active Directory as a security principal.
  2. 在 Azure Active Directory 中为你的安全主体配置角色分配。Configure a role assignment for your security principal in Azure Active Directory.
  3. 为安全主体配置密钥保管库访问策略。Configure key vault access policies for your security principal.
  4. 配置对密钥保管库的 Key Vault 防火墙访问权限(可选)。Configure Key Vault firewall access to your key vault (optional).
  5. 测试你的安全主体访问密钥保管库的权限。Test your security principal's ability to access key vault.

在 Azure Active Directory 中将用户或应用程序注册为安全主体Register a user or application in Azure Active Directory as a security principal

当用户或应用程序向密钥保管库发出请求时,必须先通过 Azure Active Directory 对该请求进行身份验证。When a user or application makes a request to key vault, the request must first be authenticated by Azure Active Directory. 为此,需要在 Azure Active Directory 中将用户或应用程序注册为安全主体。For this to work, the user or application needs to be registered in Azure Active Directory as a security principal.

请通过下面的文档链接来了解如何在 Azure Active Directory 中注册用户或应用程序。Follow the documentation links below to understand how to register a user or application in Azure Active Directory. 确保创建用于用户注册的密码,并为应用程序创建客户端机密或客户端证书凭据。Make sure you create a password for user registration and a client secret or client certificate credential for applications.

  • 在 Azure Active Directory 中注册用户 链接Registering a user in Azure Active Directory link
  • 在 Azure Active Directory 中注册应用程序 链接Registering an application in Azure Active Directory link

向安全主体分配角色Assign your security principal a role

你可以使用 Azure 基于角色的访问控制 (Azure RBAC) 向安全主体分配权限。You can use Azure role-based access control (Azure RBAC) to assign permissions to security principals. 这些权限称为角色分配。These permissions are called role assignments.

在密钥保管库的上下文中,这些角色分配决定了安全主体对密钥保管库的管理平面(也称为控制平面)的访问权限级别。In the context of key vault, these role assignments determine a security principal's level of access to the management plane (also known as control plane) of key vault. 这些角色分配不直接提供对数据平面机密的访问权限,但提供管理密钥保管库属性所需的访问权限。These role assignments do not provide access to the data plane secrets directly, but they provide access to manage properties of key vault. 例如,不允许分配有“读取者”角色的用户或应用程序对密钥保管库防火墙设置进行更改,而分配有“参与者”角色的用户或应用程序可以进行更改。For example a user or application assigned a Reader role will not be permitted to make changes to key vault firewall settings, whereas a user or application assigned a Contributor role can make changes. 这两个角色都不具有对机密、密钥和证书执行操作(例如创建或检索它们的值)所需的直接访问权限,除非为其分配对密钥保管库数据平面的访问权限。Neither role will have direct access to perform operations on secrets, keys, and certificates such as creating or retrieving their value until they are assigned access to the key vault data plane. 接下来的步骤中介绍了此内容。This is covered in the next step.

重要

尽管具有“参与者”或“所有者”角色的用户默认情况下无权对密钥保管库中存储的机密执行操作,但“参与者”和“所有者”角色提供了为在密钥保管库中存储的机密添加或删除访问策略的权限。Although users with the Contributor or Owner role do not have access to perform operations on secrets stored in key vault by default, the Contributor and Owner roles, provide permissions to add or remove access policies to secrets stored in key vault. 因此,具有这些角色分配的用户可以向自己授予访问密钥保管库中机密的权限。Therefore a user with these role assignments can grant themselves access to access secrets in the key vault. 因此,建议只允许管理员拥有对“参与者”或“所有者”角色的访问权限。For this reason, it is recommended that only administrators have access to the Contributor or Owner roles. 只需要从密钥保管库检索机密的用户和应用程序应被授予“读取者”角色。Users and applications that only need to retrieve secrets from key vault should be granted the Reader role. 下一部分提供了更多详细信息。More details in the next section.

备注

在 Azure Active Directory 租户级别向用户分配角色分配时,此权限集会渗透到分配范围内的所有订阅、资源组和资源。When you assign a role assignment to a user at the Azure Active Directory tenant level, this set of permissions will trickle down to all subscriptions, resource-groups, and resources within the scope of the assignment. 为了遵循最小特权原则,你可以在更细粒度的范围内进行此角色分配。To follow the principal of least-privilege you can make this role assignment at a more granular scope. 例如,你可以在订阅级别为用户分配“读取者”角色,并为其分配针对单个密钥保管库的“所有者”角色。For example you can assign a user a Reader role at the subscription level, and an Owner role for a single key vault. 转到某个订阅、资源组或密钥保管库的标识访问管理 (IAM) 设置,在更细粒度的范围进行角色分配。Go to the Identity Access Management (IAM) settings of a subscription, resource-group, or key vault to make a role assignment at a more granular scope.

  • 详细了解 Azure 角色 链接To learn more about Azure roles link
  • 详细了解分配或删除角色分配 链接To learn more about assigning or removing role assignments link

为安全主体配置密钥保管库访问策略Configure key vault access policies for your security principal

为用户和应用程序授予对密钥保管库的访问权限之前,请务必了解可以在密钥保管库中执行的不同类型的操作。Before you grant access for your users and applications to access key vault, it is important to understand the different types of operations that can be performed on a key vault. 密钥保管库操作、管理平面(也称为控制平面)操作和数据平面操作有两种主要类型。There are two main types of key vault operations, management plane (also referred to as control plane) operations, and data plane Operations.

此表显示了由管理平面和数据平面控制的不同操作的几个示例。This table shows several examples of the different operations that are controlled by the management plane vs the data plane. 更改密钥保管库属性的操作是管理平面操作。Operations that change the properties of the key vault are management plane operations. 更改或检索密钥保管库中存储的机密值的操作是数据平面操作。Operations that change or retrieve the value of secrets stored in key vault are data plane operations.

管理平面操作(示例)Management Plane Operations (Examples) 数据平面操作(示例)Data Plane Operations (Examples)
创建密钥保管库Create Key Vault 创建密钥、机密、证书Create a Key, Secret, Certificate
删除密钥保管库Delete Key Vault 删除密钥、机密、证书Delete a Key, Secret, Certificate
添加或删除密钥保管库角色分配Add or Remove Key Vault Role Assignments 列出和获取密钥、机密和证书的值List and Get values of Keys, Secrets, Certificates
添加或删除密钥保管库访问策略Add or Remove Key Vault Access Policies 备份和还原密钥、机密、证书Backup and Restore Keys, Secrets, Certificates
修改密钥保管库防火墙设置Modify Key Vault Firewall Settings 续订密钥、机密、证书Renew Keys, Secrets, Certificates
修改密钥保管库恢复设置Modify Key Vault Recovery Settings 清除或恢复软删除的密钥、机密、证书Purge or Recover soft-deleted Keys, Secrets, Certificates
修改密钥保管库诊断日志设置Modify Key Vault Diagnostic Logs Settings

管理平面访问权限和 Azure Active Directory 角色分配Management Plane Access & Azure Active Directory Role Assignments

Azure Active Directory 角色分配授予对密钥保管库执行管理平面操作所需的访问权限。Azure Active Directory role assignments grant access to perform management plane operations on a key vault. 此访问权限通常授予用户,而不是授予应用程序。This access is typically granted to users, not to applications. 可以通过更改用户的角色分配来限制用户可以执行的管理平面操作。You can restrict what management plane operations a user can perform by changing a user’s role assignment.

例如,为用户分配密钥保管库“读取者”角色将允许用户查看密钥保管库的属性(例如访问策略),但不允许用户进行任何更改。For example, assigning a user a Key Vault Reader Role to a user will allow them to see the properties of your key vault such as access policies, but will not allow them to make any changes. 为用户分配“所有者”角色将为用户提供更改密钥保管库管理平面设置所需的完全访问权限。Assigning a user, an Owner role will allow them full access to change key vault management plane settings.

角色分配是在密钥保管库的“访问控制(IAM)”边栏选项卡中控制的。Role assignments are controlled in the key vault Access Control (IAM) blade. 如果你希望特定用户具有成为读取者或成为多个密钥保管库资源的管理员所需的访问权限,则可以在保管库、资源组或订阅级别创建角色分配,然后角色分配就会被添加到分配范围内的所有资源。If you want a particular user to have access to be a reader or be the administrator of multiple key vault resources, you can create a role assignment at the vault, resource group, or subscription level, and the role assignment will be added to all resources within the scope of the assignment.

可以通过以下两种方式之一添加数据平面访问权限,或添加对密钥保管库中存储的密钥、机密和证书执行操作所需的访问权限。Data plane access, or access to perform operations on keys, secrets, and certificates stored in key vault can be added in one of two ways.

数据平面访问选项 1:经典密钥保管库访问策略Data Plane Access Option 1: Classic Key Vault Access Policies

密钥保管库访问策略向用户和应用程序授予对密钥保管库执行数据平面操作所需的访问权限。Key vault access policies grant users and applications access to perform data plane operations on a key vault.

备注

此访问模型与下面记录的密钥保管库的 Azure RBAC(选项 2)不兼容。This access model is not compatible with Azure RBAC for key vault (Option 2) documented below. 你必须选择一个。You must choose one. 单击密钥保管库的“访问策略”选项卡时,你将有机会做出此选择。You will have the opportunity to make this selection when you click on the Access Policy tab of your key vault.

经典访问策略是细粒度的,这意味着你可以允许或拒绝每个用户或应用程序在密钥保管库中执行各个操作的权限。Classic access policies are granular, which means you can allow or deny the ability of each individual user or application to perform individual operations within a key vault. 以下是一些示例:Here are a few examples:

  • 安全主体 1 可以执行任何密钥操作,但不允许执行任何机密或证书操作。Security Principal 1 can perform any key operation but is not allowed to perform any secret or certificate operation.
  • 安全主体 2 可以列出和读取所有密钥、机密和证书,但不能执行任何创建、删除或续订操作。Security Principal 2 can list and read all keys, secrets, and certificates but cannot perform any create, delete, or renew operations.
  • 安全主体 3 可以备份和还原所有机密,但不能读取机密本身的值。Security Principal 3 can backup and restore all secrets but cannot read the value of the secrets themselves.

但是,经典访问策略不允许基于对象级别的权限,并且分配的权限将应用于单个密钥保管库的范围。However, classic access policies do not allow per-object level permissions, and assigned permissions are applied to the scope of an individual key vault. 例如,如果向特定密钥保管库中的某个安全主体授予“获取机密”访问策略权限,则该安全主体将有权获取该特定密钥保管库中的所有机密。For example, if you grant the “Secret Get” access policy permission to a security principal in a particular key vault, the security principal has the ability to get all secrets within that particular key vault. 但是,此“获取机密”权限不会自动扩展到其他密钥保管库,必须显式分配。However, this “Get Secret” permission will not automatically extend to other key vaults and must be assigned explicitly.

重要

经典密钥保管库访问策略和 Azure Active Directory 角色分配相互独立。Classic key vault access policies and Azure Active Directory role assignments are independent of each other. 在订阅级别为安全主体分配“参与者”角色不会自动使安全主体有权对订阅范围内的每个密钥保管库执行数据平面操作。Assigning a security principal a ‘Contributor’ role at a subscription level will not automatically allow the security principal the ability to perform data-plane operations on every key vault within the scope of the subscription. 仍需向安全主体授权,否则安全主体就必须向自己授予执行数据平面操作所需的访问策略权限。The security principal must still must be granted, or grant themselves access policy permissions to perform data plane operations.

数据平面访问选项 2:Key Vault 的 Azure RBAC(预览版)Data Plane Access Option 2: Azure RBAC for Key Vault (Preview)

若要授予对密钥保管库数据平面的访问权限,一种新方法是使用针对密钥保管库的 Azure 基于角色的访问控制 (Azure RBAC)。A new way to grant access to the key vault data plane is through Azure role-based access control (Azure RBAC) for key vault.

备注

此访问模型与上面显示的密钥保管库经典访问策略不兼容。This access model is not compatible with key vault classic access policies shown above. 你必须选择一个。You must choose one. 单击密钥保管库的“访问策略”选项卡时,你将有机会做出此选择。You will have the opportunity to make this selection when you click on the Access Policy tab of your key vault.

密钥保管库角色分配是一组内置的 Azure 角色分配,它们包含用于访问密钥、机密和证书的通用权限集。Key Vault role assignments are a set of Azure built-in role assignments that encompass common sets of permissions used to access keys, secrets, and certificates. 此权限模型还实现了经典密钥保管库访问策略模型中未提供的其他功能。This permission model also enables additional capabilities that are not available in the classic key vault access policy model.

  • 通过允许在订阅、资源组或各个密钥保管库级别为用户分配这些角色,可以大规模地管理 Azure RBAC 权限。Azure RBAC permissions can be managed at scale by allowing users to have these roles assigned at a subscription, resource group, or individual key vault level. 用户将具有对 Azure RBAC 分配范围内的所有密钥保管库的数据平面权限。A user will have the data plane permissions to all key vaults within the scope of the Azure RBAC assignment. 这样就不需针对每个密钥保管库为每个用户/应用程序分配单独的访问策略权限。This eliminates the need to assign individual access policy permissions per user/application per key vault.

  • Azure RBAC 权限与 Privileged Identity Management(简称 PIM)兼容。Azure RBAC permissions are compatible with Privileged Identity Management or PIM. 这允许你为特权角色(例如密钥保管库管理员)配置实时访问控制。This allows you to configure just-in-time access controls for privileged roles like Key Vault Administrator. 这是一种最佳安全做法,它通过消除对密钥保管库的常设访问权限来遵循最小特权原则。This is a best-security practice and follows the principal of least-privilege by eliminating standing access to your key vaults.

  • Azure RBAC 权限与每对象的细化权限兼容,因此你可以限制用户仅对某些密钥保管库对象执行操作。Azure RBAC permissions are compatible with per-object granular permissions, so you can restrict a user from only performing operations on some of your key vault objects. 这允许多个应用程序共享单个密钥保管库,同时仍然在应用程序之间隔离访问权限。This allows multiple applications to share a single key vault while still isolating access between applications.

若要详细了解 Key Vault 的 Azure RBAC,请参阅以下文档:To learn more about Azure RBAC for Key Vault, see the following documents:

  • Key Vault 的 Azure RBAC 链接Azure RBAC for Key Vault link
  • Key Vault 角色的 Azure RBAC(预览版)链接Azure RBAC for Key Vault roles (Preview) link

配置 Key Vault 防火墙Configure Key Vault Firewall

默认情况下,密钥保管库允许来自公共 Internet 的流量通过公共终结点发送到密钥保管库。By default, key vault allows traffic from the public internet to send reach your key vault through a public endpoint. 为了增加安全性,你可以配置 Azure Key Vault 防火墙来限制对密钥保管库公共终结点的访问。For an additional layer of security, you can configure the Azure Key Vault Firewall to restrict access to the key vault public endpoint.

若要启用密钥保管库防火墙,请在密钥保管库门户中单击“网络”选项卡,然后选择与“允许访问来源”下的“专用终结点和所选网络”对应的单项按钮。To enable key vault firewall, click on the Networking tab in the key vault portal and select the radio button to Allow Access From: “Private Endpoint and Selected Networks”. 如果你选择启用密钥保管库防火墙,则下面是允许流量通过密钥保管库防火墙的方法。If you choose to enable the key vault firewall, these are the ways you can allow traffic through the key vault firewall.

  • 将 IPv4 地址添加到密钥保管库防火墙允许列表中。Add IPv4 addresses to the key vault firewall allow list. 此选项最适用于具有静态 IP 地址的应用程序。This option works best for applications that have static IP addresses.

  • 将虚拟网络添加到密钥保管库防火墙。Add a virtual network to the key vault firewall. 此选项最适用于具有动态 IP 地址的 Azure 资源(例如虚拟机)。This option works best for Azure resources that have dynamic IP addresses such as Virtual Machines. 你可以将 Azure 资源添加到虚拟网络,并将虚拟网络添加到密钥保管库防火墙允许列表中。You can add Azure resources to a virtual network and add the virtual network to the key vault firewall allow list. 此选项使用的服务终结点是虚拟网络内的专用 IP 地址。This option uses a service endpoint which is a private IP address within the virtual network. 这将提供一层额外的保护,因此密钥保管库与虚拟网络之间的流量不会通过公共 Internet 进行路由。This provides an additional layer of protection so no traffic between key vault and your virtual network are routed over the public internet. 若要详细了解服务终结点,请查看以下文档。To learn more about service endpoint see the following documentation. 链接link

  • 向密钥保管库添加专用链接连接。Add a private link connection to the key vault. 此选项可将虚拟网络直接连接到密钥保管库的特定实例,从而有效地将密钥保管库放在虚拟网络中。This option connects your virtual network directly to a particular instance of key vault, effectively bringing your key vault inside your virtual network. 若要详细了解如何配置密钥保管库的专用终结点连接,请参阅以下链接To learn more about configuring a private endpoint connection to key vault, see the following link

测试你的服务主体访问密钥保管库的权限Test your service principal's ability to access key vault

完成上述所有步骤后,你将能够在密钥保管库中设置和检索机密。Once you have followed all of the steps above, you will be able to set and retrieve secrets from your key vault.

用户的身份验证过程(示例)Authentication process for users (examples)

应用程序或服务的 Azure Active Directory 身份验证过程(示例)Azure Active Directory authentication process for applications or services (examples)

  • 应用程序在函数中提供客户端机密和客户端 ID 来获取 Azure Active Directory 令牌。An application provides a client secret and client ID in a function to get an Azure Active Directory token.

  • 应用程序提供获取 Azure Active Directory 令牌所需的证书。An application provides a certificate to get an Azure Active Directory token.

  • Azure 资源使用 MSI 身份验证来获取 Azure Active Directory 令牌。An Azure resource uses MSI authentication to get an Azure Active Directory token.

  • 详细了解 MSI 身份验证 链接Learn more about MSI authentication link

应用程序的身份验证过程(Python 示例)Authentication process for application (Python Example)

使用以下代码示例测试应用程序是否可以使用配置的服务主体从密钥保管库检索机密。Use the following code sample to test whether your application can retrieve a secret from your key vault using the service principal you configured.

备注

此示例仅用于演示和测试。This sample is for demonstration and test purposes only. 请勿在生产环境中使用客户端机密身份验证,这不是一种安全的设计做法。DO NOT USE CLIENT SECRET AUTHENTICATION IN PRODUCTION This is not a secure design practice. 你应当使用客户端证书或 MSI 身份验证,这是最佳做法。You should use client certificate or MSI Authentication as a best practice.

from azure.identity import ClientSecretCredential
from azure.keyvault.secrets import SecretClient

tenant_id = "{ENTER YOUR TENANT ID HERE}"                          ##ENTER AZURE TENANT ID
vault_url = "https://{ENTER YOUR VAULT NAME}.vault.azure.cn/"     ##ENTER THE URL OF YOUR KEY VAULT
client_id = "{ENTER YOUR CLIENT ID HERE}"                          ##ENTER THE CLIENT ID OF YOUR SERVICE PRINCIPAL
cert_path = "{ENTER YOUR CLIENT SECRET HERE}"                      ##ENTER THE CLIENT SECRET OF YOUR SERVICE PRINCIPAL

def main():

    #AUTHENTICATION TO Azure Active Directory USING CLIENT ID AND CLIENT CERTIFICATE (GET Azure Active Directory TOKEN)
    token = ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret)

    #AUTHENTICATION TO KEY VAULT PRESENTING Azure Active Directory TOKEN
    client = SecretClient(vault_url=vault_url, credential=token)

    #CALL TO KEY VAULT TO GET SECRET
    #ENTER NAME OF A SECRET STORED IN KEY VAULT
    secret = client.get_secret('{SECRET_NAME}')

    #GET PLAINTEXT OF SECRET
    print(secret.value)

#CALL MAIN()
if __name__ == "__main__":
    main()

后续步骤Next Steps

若要更详细地了解密钥保管库身份验证,请参阅以下文档。To learn about key vault authentication in more detail, see the following document. Key Vault 身份验证Key Vault Authentication