使用 Azure 基于角色的访问控制提供对 Key Vault 密钥、证书和机密的访问权限(预览)Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control (preview)

Azure 基于角色的访问控制 (Azure RBAC) 是在 Azure 资源管理器基础上构建的授权系统,针对 Azure 资源提供精细的访问权限管理。Azure role-based access control (Azure RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

Azure RBAC 允许用户管理密钥、机密和证书权限。Azure RBAC allows users to manage Key, Secrets, and Certificates permissions. 它提供了一个可跨所有密钥保管库管理所有权限的位置。It provides one place to manage all permissions across all key vaults.

Azure RBAC 模型提供了在不同范围级别设置权限的功能:管理组、订阅、资源组或单个资源。The Azure RBAC model provides the ability to set permissions on different scope levels: management group, subscription, resource group, or individual resources. 用于密钥保管库的 Azure RBAC 还提供了对单个密钥、机密和证书设定单独权限的功能Azure RBAC for key vault also provides the ability to have separate permissions on individual keys, secrets, and certificates

有关详细信息,请参阅 Azure 基于角色的访问控制 (Azure RBAC)For more information, see Azure role-based access control (Azure RBAC).

单个密钥、机密和证书的最佳做法Best Practices for individual keys, secrets, and certificates

我们的建议是对每个环境(开发环境、预生产环境和生产环境)的每个应用程序使用一个保管库。Our recommendation is to use a vault per application per environment (Development, Pre-Production, and Production).

单个密钥、机密和证书权限应仅用于特定场景:Individual keys, secrets, and certificates permissions should be used only for specific scenarios:

  • 需要在层之间分离访问控制的多层应用程序Multi-layer applications that need to separate access control between layers

  • 包含公共机密的共享密钥保管库(当应用程序需要访问该密钥保管库中的机密子集时)Shared key vault with common secrets, when applications need access to subsets of secrets in that key vault

有关 Azure Key Vault 管理指南的详细信息,请参阅:More about Azure Key Vault management guidelines, see:

用于 Key Vault 数据平面操作的 Azure 内置角色(预览版)Azure built-in roles for Key Vault data plane operations (preview)

内置角色Built-in role 说明Description IDID
Key Vault 管理员(预览版)Key Vault Administrator (preview) 对密钥保管库以及其中的所有对象(包括证书、密钥和机密)执行所有数据平面操作。Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. 无法管理密钥保管库资源或管理角色分配。Cannot manage key vault resources or manage role assignments. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. 00482a5a-887f-4fb3-b363-3b7fe8e7448300482a5a-887f-4fb3-b363-3b7fe8e74483
Key Vault 证书管理人员(预览版)Key Vault Certificates Officer (preview) 对密钥保管库的证书执行任何操作(管理权限除外)。Perform any action on the certificates of a key vault, except manage permissions. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. a4417e6f-fecd-4de8-b567-7b0420556985a4417e6f-fecd-4de8-b567-7b0420556985
Key Vault 加密管理人员(预览版)Key Vault Crypto Officer (preview) 对密钥保管库的密钥执行任何操作(管理权限除外)。Perform any action on the keys of a key vault, except manage permissions. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. 14b46e9e-c2b7-41b4-b07b-48a6ebf6060314b46e9e-c2b7-41b4-b07b-48a6ebf60603
Key Vault 加密服务加密(预览版)Key Vault Crypto Service Encryption (preview) 读取密钥的元数据并执行包装/展开操作。Read metadata of keys and perform wrap/unwrap operations. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. e147488a-f6f5-4113-8e2d-b22465e65bf6e147488a-f6f5-4113-8e2d-b22465e65bf6
Key Vault 加密用户(预览版)Key Vault Crypto User (preview) 使用密钥执行加密操作。Perform cryptographic operations using keys. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. 12338af0-0e69-4776-bea7-57ae8d29742412338af0-0e69-4776-bea7-57ae8d297424
Key Vault 读取者(预览版)Key Vault Reader (preview) 读取密钥保管库及其证书、密钥和机密的元数据。Read metadata of key vaults and its certificates, keys, and secrets. 无法读取机密内容或密钥材料等敏感值。Cannot read sensitive values such as secret contents or key material. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. 21090545-7ca7-4776-b22c-e363652d74d221090545-7ca7-4776-b22c-e363652d74d2
Key Vault 机密管理人员(预览版)Key Vault Secrets Officer (preview) 对密钥保管库的机密执行任何操作(管理权限除外)。Perform any action on the secrets of a key vault, except manage permissions. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. b86a8fe4-44ce-4948-aee5-eccb2c155cd7b86a8fe4-44ce-4948-aee5-eccb2c155cd7
Key Vault 机密用户(预览版)Key Vault Secrets User (preview) 读取机密内容。Read secret contents. 仅适用于使用“Azure 基于角色的访问控制”权限模型的密钥保管库。Only works for key vaults that use the 'Azure role-based access control' permission model. 4633458b-17de-408a-b874-0445c86b69e64633458b-17de-408a-b874-0445c86b69e6

有关 Azure 内置角色定义的详细信息,请参阅 Azure 内置角色For more information about Azure built-in roles definitions, see Azure built-in roles.

对密钥保管库使用 Azure RBAC 机密、密钥和证书权限Using Azure RBAC secret, key, and certificate permissions with Key Vault

用于密钥保管库的新 Azure RBAC 权限模型提供了保管库访问策略权限模型的替代方案。The new Azure RBAC permission model for key vault provides alternative to the vault access policy permissions model.

对密钥保管库启用 Azure RBAC 权限Enable Azure RBAC permissions on Key Vault

重要

设置 Azure RBAC 权限模型会使所有访问策略权限失效。Setting Azure RBAC permission model invalidates all access policies permissions. 若未分配对等的 Azure 角色,它可能会导致故障。It can cause outages when equivalent Azure roles aren't assigned.

  1. 对新密钥保管库启用 Azure RBAC 权限:Enable Azure RBAC permissions on new key vault:

    启用 RBAC 权限 - 新建保管库

  2. 对现有密钥保管库启用 Azure RBAC 权限:Enable Azure RBAC permissions on existing key vault:

    启用 RBAC 权限 - 现有保管库

分配角色Assign role

备注

建议在脚本中使用唯一的角色 ID,而不是角色名称。It's recommended to use the unique role ID instead of the role name in scripts. 这样一来,即使角色重命名,脚本仍可以继续使用。Therefore, if a role is renamed, your scripts would continue to work. 在预览期间,每个角色都会有“(预览版)”后缀,该后缀将在以后删除。During preview every role would have "(preview)" suffix, which would be removed later. 此文档中的角色名称仅用于提高可读性。In this document role name is used only for readability.

用于创建角色分配的 Azure CLI 命令:Azure CLI command to create a role assignment:

az role assignment create --role <role_name_or_id> --assignee <assignee> --scope <scope>

在 Azure 门户中,Azure 角色分配屏幕可用于访问控制 (IAM) 选项卡上的所有资源。In the Azure portal, the Azure role assignments screen is available for all resources on the Access control (IAM) tab.

角色分配 - (IAM) 选项卡

资源组范围的角色分配Resource group scope role assignment

  1. 转到密钥保管库资源组。Go to key vault Resource Group. 角色分配 - 资源组Role assignment - resource group

  2. 单击“访问控制(IAM)”>“添加角色分配”>“添加”Click Access control (IAM) > Add-role assignment>Add

  3. 为当前用户创建 Key Vault 读取者角色“Key Vault 读取者(预览版)”Create Key Vault Reader role "Key Vault Reader (preview)" for current user

    添加角色 - 资源组

Azure CLI:Azure CLI:

az role assignment create --role "Key Vault Reader (preview)" --assignee {i.e user@microsoft.com} --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}

上述角色分配提供了在密钥保管库中列出密钥保管库对象的功能。Above role assignment provides ability to list key vault objects in key vault.

Key Vault 范围角色分配Key Vault scope role assignment

  1. 转到“Key Vault”>“访问控制(IAM)”选项卡Go to Key Vault > Access control (IAM) tab

  2. 单击“添加角色分配”>“添加”Click Add-role assignment>Add

  3. 为当前用户创建 Key Vault 机密管理人员角色“Key Vault 机密管理人员(预览版)”。Create Key Secrets Officer role "Key Vault Secrets Officer (preview)" for current user.

    角色分配 - 密钥保管库

Azure CLI:Azure CLI:

az role assignment create --role "Key Vault Secrets Officer (preview)" --assignee {i.e jalichwa@microsoft.com} --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}

创建上述角色分配后,你可以创建/更新/删除机密。After creating above role assignment you can create/update/delete secrets.

  1. 创建新的机密(“机密”>“+ 生成/导入”)以测试机密级别角色分配。Create new secret ( Secrets > +Generate/Import) for testing secret level role assignment.

    添加角色 - 密钥保管库

机密范围角色分配Secret scope role assignment

  1. 打开一个以前创建的机密,找到“概述和访问控制(IAM) (预览版)”Open one of previously created secrets, notice Overview and Access control (IAM) (preview)

  2. 单击“访问控制(IAM) (预览版)”选项卡Click Access control(IAM)(preview) tab

    角色分配 - 机密

  3. 为当前用户创建 Key Vault 机密管理人员角色“Key Vault 机密管理人员(预览版)”,与上面对 Key Vault 所做的操作相同。Create Key Secrets Officer role "Key Vault Secrets Officer (preview)" for current user, same like it was done above for the Key Vault.

Azure CLI:Azure CLI:

az role assignment create --role "Key Vault Secrets Officer (preview)" --assignee {i.e user@microsoft.com} --scope /subscriptions/{subscriptionid}/resourcegroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{key-vault-name}/secrets/RBACSecret

测试和验证Test and verify

备注

浏览器使用缓存,删除角色分配后需要刷新页面。Browsers use caching and page refresh is required after removing role assignments.
预留几分钟时间供角色分配刷新Allow several minutes for role assignments to refresh

  1. 验证在密钥库级别上没有“Key Vault 机管理人员”角色的情况下添加新机密。Validate adding new secret without "Key Vault Secrets Officer" role on key vault level.

转到密钥保管库“访问控制(IAM)”选项卡,并删除此资源的“Key Vault 机密管理人员(预览版)”角色分配。Go to key vault Access control (IAM) tab and remove "Key Vault Secrets Officer (preview)" role assignment for this resource.

删除分配 - 密钥保管库

导航到以前创建的机密。Navigate to previously created secret. 你可以看到所有机密属性。You can see all secret properties.

具有访问权限的机密视图

若创建新机密(“机密”>“+ 生成/导入”),应会看到以下错误:Create new secret ( Secrets > +Generate/Import) should show below error:

创建新机密

  1. 验证在机密级别上没有“Key Vault 机密管理人员”角色的情况下编辑机密。Validate secret editing without "Key Vault Secret Officer" role on secret level.
  • 转到先前创建的机密“访问控制 (IAM) (预览版)”选项卡,并删除此资源的“Key Vault 机密管理人员(预览版)”角色分配。Go to previously created secret Access Control (IAM) (preview) tab and remove "Key Vault Secrets Officer (preview)" role assignment for this resource.

  • 导航到以前创建的机密。Navigate to previously created secret. 你可以看到机密属性。You can see secret properties.

无访问权限的机密视图

  1. 验证在密钥库级别没有读取者角色的情况下读取机密。Validate secrets read without reader role on key vault level.
  • 转到密钥保管库资源组“访问控制(IAM)”选项卡,并删除“Key Vault 读取者(预览版)”角色分配。Go to key vault resource group Access control (IAM) tab and remove "Key Vault Reader (preview)" role assignment.

  • 若导航到密钥保管库的“机密”选项卡,应会看到以下错误:Navigating to key vault's Secrets tab should show below error:

“机密”选项卡 - 错误

创建自定义角色Creating custom roles

az role definition create 命令az role definition create command

(CLI bash 脚本)
(CLI bash script)

az role definition create --role-definition '{ \
   "Name": "Backup Keys Operator", \
   "Description": "Perform key backup/restore operations", \
    "Actions": [ 
    ], \
    "DataActions": [ \
        "Microsoft.KeyVault/vaults/keys/read ", \
        "Microsoft.KeyVault/vaults/keys/backup/action", \
         "Microsoft.KeyVault/vaults/keys/restore/action" \
    ], \
    "NotDataActions": [ 
   ], \
    "AssignableScopes": ["/subscriptions/{subscriptionId}"] \
}'

有关如何创建自定义角色的详细信息,请参阅:For more Information about how to create custom roles, see:

Azure 自定义角色Azure custom roles

已知的限制和性能Known limits and performance

  • 每个订阅 2000 个 Azure 角色分配2000 Azure role assignments per subscription

  • 角色分配延迟:在当前预期的性能下,角色分配更改后最多需要 10 分钟(600 秒)才能应用角色Role assignments latency: at current expected performance, it will take up to 10 minutes (600 seconds) after role assignments is changed for role to be applied

了解更多Learn more