使用托管标识提供 Key Vault 身份验证Provide Key Vault authentication with a managed identity

借助 Azure Active Directory 的托管标识,应用可以轻松访问其他受 Azure AD 保护的资源。A managed identity from Azure Active Directory allows your app to easily access other Azure AD-protected resources. 标识由 Azure 平台托管,无需设置或转交任何机密。The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. 有关详细信息,请参阅 Azure 资源的托管标识For more information, see Managed identities for Azure resources.

本文介绍如何为应用服务应用程序创建托管标识,以及如何使用它来访问 Azure Key Vault。This article shows you how to create a managed identity for an App Service application and use it to access Azure Key Vault. 对于托管在 Azure VM 中的应用程序,请参阅使用 Windows VM 系统分配的托管标识来访问 Azure Key VaultFor applications hosted in Azure VMs, see Use a Windows VM system-assigned managed identity to access Azure Key Vault.

先决条件Prerequisites

若要完成本指南,必须备好以下资源。To complete this guide, you must have the following resources.

添加系统分配的标识Adding a system-assigned identity

首先,必须向应用程序添加系统分配的标识。First, you must add a system-assigned identity to an application.

Azure 门户Azure portal

要在门户中设置托管标识,需先按常规创建应用程序,然后启用该功能。To set up a managed identity in the portal, you will first create an application as normal and then enable the feature.

  1. 如果使用函数应用,请导航到“平台功能”。 If using a function app, navigate to Platform features. 对于其他应用类型,请在左侧导航区域向下滚动到“设置”组。 For other app types, scroll down to the Settings group in the left navigation.

  2. 选择“托管标识” 。Select Managed identity.

  3. 在“系统分配的”选项卡中,将“状态”切换为“启用” 。Within the System assigned tab, switch Status to On. 单击“保存” 。Click Save.

Azure CLIAzure CLI

本快速入门需要 Azure CLI 2.0.4 或更高版本。This quickstart requires the Azure CLI version 2.0.4 or later. 运行 az --version 即可查找当前版本。Run az --version to find your current version. 如需进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install the Azure CLI.

若要使用 Azure CLI 登录,请使用 az login 命令:To sign in with Azure CLI, use the az login command:

az cloud set -n AzureChinaCloud
az login

若要详细了解 Azure CLI 的登录选项,请参阅使用 Azure CLI 登录For more information on login options with the Azure CLI, see Sign in with Azure CLI.

若要为此应用程序创建标识,请使用 Azure CLI 的 az webapp identity assign 命令或 az functionapp identity assign 命令:To create the identity for this application, use the Azure CLI az webapp identity assign command or az functionapp identity assign command:

az webapp identity assign --name myApp --resource-group myResourceGroup
az functionapp identity assign --name myApp --resource-group myResourceGroup

记下 PrincipalId,下一部分需要用到它。Make a note of the PrincipalId, which will be needed in next section.

{
  "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "type": "SystemAssigned"
}

授予应用对 Key Vault 的访问权限Grant your app access to Key Vault

Azure 门户Azure portal

  1. 导航到 Key Vault 资源。Navigate to Key Vault resource.

  2. 选择“访问策略” ,然后单击“添加访问策略” 。Select Access policies and click Add Access Policy.

  3. 在“机密权限” 中,选择“获取、列出”。 In Secret permissions, select Get, List.

  4. 选择“选择主体” ,并在搜索字段中输入应用的名称。Choose Select Principal, and in the search field enter the name of the app. 选择结果列表中的应用,并单击“选择” 。Select the app in the result list and click Select.

  5. 单击“添加”,完成添加新访问策略的操作 。Click Add to finish adding the new access policy.

Azure CLIAzure CLI

若要授予应用程序访问密钥保管库的权限,请使用 Azure CLI 的 az keyvault set-policy 命令,并为 ObjectId 参数提供此前记下的 principalIdTo grant your application access to your key vault, use the Azure CLI az keyvault set-policy command, supplying the ObjectId parameter with the principalId you noted above.

az keyvault set-policy --name myKeyVault --object-id <PrincipalId> --secret-permissions get list 

后续步骤Next steps