保护对密钥保管库的访问Secure access to a key vault

Azure 密钥保管库是一种云服务,用于保护加密密钥和机密(例如证书、连接字符串和密码)。Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. 因为此数据是敏感数据和业务关键数据,所以需要保护对密钥保管库的访问,只允许得到授权的应用程序和用户进行访问。Because this data is sensitive and business critical, you need to secure access to your key vaults by allowing only authorized applications and users. 本文简要介绍了 Key Vault 访问模型。This article provides an overview of the Key Vault access model. 其中介绍了身份验证和授权,以及如何保护对密钥保管库的访问。It explains authentication and authorization, and describes how to secure access to your key vaults.

访问模型概述Access model overview

可通过以下两个接口来控制对密钥保管库的访问:管理平面数据平面Access to a key vault is controlled through two interfaces: the management plane and the data plane. 管理平面用于管理密钥保管库本身。The management plane is where you manage Key Vault itself. 此平面中的操作包括创建和删除密钥保管库、检索密钥保管库属性以及更新访问策略。Operations in this plane include creating and deleting key vaults, retrieving Key Vault properties, and updating access policies. 数据平面用于处理密钥保管库中存储的数据。The data plane is where you work with the data stored in a key vault. 可以添加、删除和修改密钥、机密及证书。You can add, delete, and modify keys, secrets, and certificates.

若要在任一平面中访问密钥保管库,所有调用方(用户或应用程序)都必须进行适当的身份验证并拥有适当的授权。To access a key vault in either plane, all callers (users or applications) must have proper authentication and authorization. 身份验证可确定调用方的身份。Authentication establishes the identity of the caller. 授权可确定调用方能够执行的操作。Authorization determines which operations the caller can execute.

对于身份验证,这两个平面都使用 Azure Active Directory (Azure AD)。Both planes use Azure Active Directory (Azure AD) for authentication. 对于授权,管理平面使用 Azure 基于角色的访问控制 (RBAC),而数据平面使用 Key Vault 访问策略和 Azure RBAC(预览版)。For authorization, the management plane uses Azure role-based access control (RBAC) and the data plane uses a Key Vault access policy and Azure RBAC (preview).

Active Directory 身份验证Active Directory authentication

在 Azure 订阅中创建密钥保管库时,该密钥保管库自动与订阅的 Azure AD 租户关联。When you create a key vault in an Azure subscription, it's automatically associated with the Azure AD tenant of the subscription. 两个平面中的所有调用方都必须在此租户中注册并进行身份验证,然后才能访问该密钥保管库。All callers in both planes must register in this tenant and authenticate to access the key vault. 在这两种情况下,应用程序可以通过两种方式访问密钥保管库:In both cases, applications can access Key Vault in two ways:

  • 仅应用程序:该应用程序表示一个服务或后台作业。Application-only: The application represents a service or background job. 对于需要定期从密钥保管库访问证书、密钥或机密的应用程序而言,此标识是最常见的方案。This identity is the most common scenario for applications that need to access certificates, keys, or secrets from the key vault, periodically. 要使该方案起作用,必须在访问策略中指定应用程序的 objectId,并且 applicationId 不能被指定,或必须为 nullFor this scenario to work, the objectId of the application must be specified in the access policy, and the applicationId must not be specified or must be null.
  • 仅用户:用户从租户中注册的任何应用程序访问密钥保管库。User-only: The user accesses the key vault from any application registered in the tenant. 此类访问的示例包括 Azure PowerShell 和 Azure 门户。Examples of this type of access include Azure PowerShell and the Azure portal. 要使该方案起作用,必须在访问策略中指定用户的 objectId,并且 applicationId 不能被指定,或必须为 nullFor this scenario to work, the objectId of the user must be specified in the access policy, and the applicationId must not be specified or must be null.
  • 应用程序和用户(有时称为“复合标识”):用户需要从特定应用程序访问密钥保管库,并且该应用程序必须使用代理身份验证 (OBO) 流来模拟用户。Application-plus-user (sometimes referred as compound identity): The user is required to access the key vault from a specific application and the application must use the on-behalf-of authentication (OBO) flow to impersonate the user. 要使此方案起作用,必须在访问策略中指定 applicationIdobjectIdFor this scenario to work, both applicationId and objectId must be specified in the access policy. applicationId 标识了所需的应用程序,objectId 标识了用户。The applicationId identifies the required application, and the objectId identifies the user. 此选项当前不可用于数据平面 Azure RBAC(预览版)This option is currently not available for data plane Azure RBAC (preview)

在所有类型的访问中,应用程序都使用 Azure AD 进行身份验证。In all types of access, the application authenticates with Azure AD. 应用程序根据应用程序类型使用任何支持的身份验证方法The application uses any supported authentication method based on the application type. 应用程序通过获取平面中资源的令牌来授予访问权限。The application acquires a token for a resource in the plane to grant access. 资源是管理平面或数据平面中基于 Azure 环境的终结点。The resource is an endpoint in the management or data plane, based on the Azure environment. 应用程序使用令牌并向密钥保管库发送 REST API 请求。The application uses the token and sends a REST API request to Key Vault. 若要了解详细信息,请查看整个身份验证流To learn more, review the whole authentication flow.

对这两种平面使用单一身份验证机制模型具有多个优点:The model of a single mechanism for authentication to both planes has several benefits:

  • 组织可以集中控制对其组织中的所有密钥保管库的访问。Organizations can control access centrally to all key vaults in their organization.
  • 离职的用户会立即失去对组织中所有密钥保管库的访问权限。If a user leaves, they instantly lose access to all key vaults in the organization.
  • 组织可以通过 Azure AD 中的选项自定义身份验证(例如,启用多重身份验证以提高安全性)。Organizations can customize authentication by using the options in Azure AD, such as to enable multi-factor authentication for added security.

资源终结点Resource endpoints

应用程序通过终结点访问平面。Applications access the planes through endpoints. 两个平面的访问控制独立运行。The access controls for the two planes work independently. 若要授权应用程序使用密钥保管库中的密钥,可以使用 Key Vault 访问策略或 Azure RBAC(预览版)授予数据平面访问权限。To grant an application access to use keys in a key vault, you grant data plane access by using a Key Vault access policy or Azure RBAC (preview). 若要授予用户对密钥保管库属性和标记的读取访问权限,但不授予对数据(密钥、机密或证书)的访问权限,请使用 RBAC 授予管理平面访问权限。To grant a user read access to Key Vault properties and tags, but not access to data (keys, secrets, or certificates), you grant management plane access with RBAC.

下表显示了用于管理平面和数据平面的终结点。The following table shows the endpoints for the management and data planes.

访问 平面Access plane 访问终结点Access endpoints 操作Operations 访问 控制机制Access control mechanism
管理平面Management plane management.chinacloudapi.cn:443management.chinacloudapi.cn:443

创建、读取、更新和删除密钥保管库Create, read, update, and delete key vaults

设置密钥保管库访问策略Set Key Vault access policies

设置密钥保管库标记Set Key Vault tags
Azure RBACAzure RBAC
数据平面Data plane lt;vault-name>.vault.azure.cn:443lt;vault-name>.vault.azure.cn:443 密钥:解密、加密,Keys: decrypt, encrypt,
解包、包装、验证、签名,unwrap, wrap, verify, sign,
获取、列出、更新、创建,get, list, update, create,
导入、删除、备份、还原import, delete, backup, restore

机密:获取、列出、设置、删除Secrets: get, list, set, delete
Key Vault 访问策略Key Vault access policy

管理平面和 Azure RBACManagement plane and Azure RBAC

在管理平面中,你会使用 Azure 基于角色的访问控制 (Azure RBAC) 对调用方可以执行的操作进行授权。In the management plane, you use Azure role-based access control (Azure RBAC) to authorize the operations a caller can execute. 在 Azure RBAC 模型中,每个 Azure 订阅都有一个 Azure AD 实例。In the Azure RBAC model, each Azure subscription has an instance of Azure AD. 可以从此目录向用户、组和应用程序授予访问权限。You grant access to users, groups, and applications from this directory. 授予访问权限以管理 Azure 订阅中使用 Azure 资源管理器部署模型的资源。Access is granted to manage resources in the Azure subscription that use the Azure Resource Manager deployment model.

可以在资源组中创建密钥保管库,并使用 Azure AD 管理访问权限。You create a key vault in a resource group and manage access by using Azure AD. 授予用户或组管理资源组中的密钥保管库的权限。You grant users or groups the ability to manage the key vaults in a resource group. 可通过分配适当的 Azure 角色在特定范围级别授予访问权限。You grant the access at a specific scope level by assigning appropriate Azure roles. 若要授予用户管理密钥保管库的访问权限,请为特定范围的用户分配预定义的 key vault Contributor 角色。To grant access to a user to manage key vaults, you assign a predefined key vault Contributor role to the user at a specific scope. 可以将以下范围级别分配给 Azure 角色:The following scopes levels can be assigned to an Azure role:

  • 订阅:在订阅级别分配的 Azure 角色适用于该订阅中的所有资源组和资源。Subscription: An Azure role assigned at the subscription level applies to all resource groups and resources within that subscription.
  • 资源组:在资源组级别分配的 Azure 角色适用于该资源组中的所有资源。Resource group: An Azure role assigned at the resource group level applies to all resources in that resource group.
  • 特定资源:为特定资源分配的 Azure 角色适用于该资源。Specific resource: An Azure role assigned for a specific resource applies to that resource. 在这种情况下,资源是特定的密钥保管库。In this case, the resource is a specific key vault.

有多种预定义角色。There are several predefined roles. 如果预定义角色不符合需求,可以定义自己的角色。If a predefined role doesn't fit your needs, you can define your own role. 有关详细信息,请参阅 Azure 内置角色For more information, see Azure built-in roles.

重要

如果用户具有密钥保管库管理平面的 Contributor 权限,则该用户可以通过设置密钥保管库访问策略来授予自己对数据平面的访问权限。If a user has Contributor permissions to a key vault management plane, the user can grant themselves access to the data plane by setting a Key Vault access policy. 应严格控制对密钥保管库具有 Contributor 角色访问权限的用户。You should tightly control who has Contributor role access to your key vaults. 请确保仅授权的人员才能访问和管理 Key Vault、密钥、机密和证书。Ensure that only authorized persons can access and manage your key vaults, keys, secrets, and certificates.

数据平面和访问策略Data plane and access policies

可以通过为密钥保管库设置 Key Vault 访问策略,来授予数据平面访问权限。You can grant data plane access by setting Key Vault access policies for a key vault. 若要设置这些访问策略,用户、组或应用程序必须具有该密钥保管库管理平面的 Contributor 权限。To set these access policies, a user, group, or application must have Contributor permissions for the management plane for that key vault.

可以向用户、组或应用程序授予对密钥保管库中的密钥或机密执行特定操作的访问权限。You grant a user, group, or application access to execute specific operations for keys or secrets in a key vault. 密钥保管库最多支持 1024 个密钥保管库访问策略条目。Key Vault supports up to 1,024 access policy entries for a key vault. 若要向多个用户授予对数据平面的访问权限,创建一个 Azure AD 安全组,并将用户添加到该组。To grant data plane access to several users, create an Azure AD security group and add users to that group.

可在此处查看保管库和机密操作的完整列表:Key Vault 操作参考You can see the full list of vault and secret operations here: Key Vault Operation Reference

密钥保管库访问策略单独授予对密钥、机密和证书的权限。Key Vault access policies grant permissions separately to keys, secrets, and certificate. 密钥、机密或证书的访问权限是保管库级别的。Access permissions for keys, secrets, and certificates are at the vault level.

重要

Key Vault 访问策略适用于保管库级别。Key Vault access policies apply at the vault level. 如果授予某个用户创建和删除密钥的权限,该用户可以针对该密钥保管库中的所有密钥执行这些操作。When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault. 密钥保管库访问策略不支持粒度、对象级别权限,例如特定的密钥、机密或证书。Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate.

数据平面和 Azure RBAC(预览版)Data plane and Azure RBAC (preview)

Azure 基于角色的访问控制是另一种用于控制对 Azure Key Vault 数据平面的访问权限的权限模型,可在单个密钥保管库上启用。Azure role-based access control is an alternative permission model to control access to Azure Key Vault data plane, which can be enabled on individual key vaults. Azure RBAC 权限模型是排他的,一旦设置,保管库访问策略就会变为非活动状态。Azure RBAC permission model is exclusive and once is set, vault access policies became inactive. Azure Key Vault 定义了一组内置的 Azure 角色,它们包含用于访问密钥、机密或证书的通用权限集。Azure Key Vault defines a set of Azure built-in roles that encompass common sets of permissions used to access keys, secrets or certificates.

将 Azure 角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 可以将访问权限限定于订阅级别、资源组、密钥保管库,或者单个密钥、机密或证书。Access can be scoped to the level of the subscription, the resource group, the key vault, or an individual key, secret or certificate. Azure AD 安全主体可以是用户、组、应用程序服务主体,也可以是 Azure 资源的托管标识An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

相对于使用保管库访问策略,使用 Azure RBAC 权限的主要优点是集中式访问控制管理,并且它已与 Privileged Identity Management (PIM) 集成。Key benefits of using Azure RBAC permission over vault access policies are centralized access control management and it's integration with Privileged Identity Management (PIM). Privileged Identity Management 提供基于时间和基于审批的角色激活,用于缓解所关注资源上出现的访问权限过度、不必要或滥用的风险。Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.

防火墙和虚拟网络Firewalls and virtual networks

可以配置防火墙和虚拟网络规则以提供额外的安全层。For an additional layer of security, you can configure firewalls and virtual network rules. 可以将 Key Vault 防火墙和虚拟网络配置为默认拒绝访问来自所有网络的流量(包括 Internet 流量)。You can configure Key Vault firewalls and virtual networks to deny access to traffic from all networks (including internet traffic) by default. 可以向来自特定 Azure 虚拟网络和公共 Internet IP 地址范围的流量授予访问权限,为应用程序构建安全的网络边界。You can grant access to traffic from specific Azure virtual networks and public internet IP address ranges, allowing you to build a secure network boundary for your applications.

下面是此服务终结点的一些用法示例:Here are some examples of how you might use service endpoints:

  • 使用 Key Vault 存储加密密钥、应用程序机密和证书,并希望阻止从公共 Internet 访问 Key Vault。You are using Key Vault to store encryption keys, application secrets, and certificates, and you want to block access to your key vault from the public internet.
  • 你希望限制访问 Key Vault,以便只有你的应用程序或指定的少部分主机才能连接到 Key Vault。You want to lock down access to your key vault so that only your application, or a short list of designated hosts, can connect to your key vault.
  • 你有一个在 Azure 虚拟网络中运行的应用程序,并且此虚拟网络限制了所有的入站和出站流量。You have an application running in your Azure virtual network, and this virtual network is locked down for all inbound and outbound traffic. 应用程序仍需连接到 Key Vault,以获取机密或证书,或者使用加密密钥。Your application still needs to connect to Key Vault to fetch secrets or certificates, or use cryptographic keys.

备注

Key Vault 防火墙和虚拟网络规则仅适用于 Key Vault 数据平面。Key Vault firewalls and virtual network rules only apply to the data plane of Key Vault. Key Vault 控制平面操作(例如创建、删除和修改操作,设置访问策略,设置防火墙和虚拟网络规则)不受防火墙和虚拟网络规则的影响。Key Vault control plane operations (such as create, delete, and modify operations, setting access policies, setting firewalls, and virtual network rules) are not affected by firewalls and virtual network rules.

示例Example

在此示例中,我们将开发一个应用程序,该应用程序使用证书来实现 TLS/SSL、使用 Azure 存储进行数据存储,并使用 RSA 2,048 位密钥来加密 Azure 存储中的数据。In this example, we're developing an application that uses a certificate for TLS/SSL, Azure Storage to store data, and an RSA 2,048-bit key for encrypting data in Azure Storage. 我们的应用程序在 Azure 虚拟机 (VM)(或虚拟机规模集)中运行。Our application runs in an Azure virtual machine (VM) (or a virtual machine scale set). 我们可以使用密钥保管库来存储应用程序机密。We can use a key vault to store the application secrets. 我们可以存储应用程序用于通过 Azure AD 进行身份验证的启动证书。We can store the bootstrap certificate that's used by the application to authenticate with Azure AD.

我们需要对以下存储密钥和机密的访问权限:We need access to the following stored keys and secrets:

  • TLS/SSL 证书:用于 TLS/SSL。TLS/SSL certificate: Used for TLS/SSL.
  • 存储密钥:无法访问存储帐户。Storage key: Used to access the Storage account.
  • RSA 2048 位密钥:由 Azure 存储用来包装/解包数据加密密钥。RSA 2,048-bit key: Used for wrap/unwrap data encryption key by Azure Storage.
  • 应用程序托管标识:用于使用 Azure AD 进行身份验证。Application Managed Identity: Used to authenticate with Azure AD. 授予对 Key Vault 的访问权限后,应用程序可以提取存储密钥和证书。After access to Key Vault is granted, application can fetch the storage key and certificate.

我们需要定义以下角色,以指定可以管理、部署和审核应用程序的用户:We need to define the following roles to specify who can manage, deploy, and audit our application:

  • 安全团队:CSO(首席安全官)办公室中的 IT 人员或类似参与者。Security team: IT staff from the office of the CSO (Chief Security Officer) or similar contributors. 安全团队负责机密的适当保管。The security team is responsible for the proper safekeeping of secrets. 机密可能包括 TLS/SSL 证书、用于加密的 RSA 密钥、连接字符串和存储帐户密钥。The secrets can include TLS/SSL certificates, RSA keys for encryption, connection strings, and storage account keys.
  • 开发人员和操作人员:开发应用程序并在 Azure 中进行部署的人员。Developers and operators: The staff who develop the application and deploy it in Azure. 此团队的成员不属于安全人员。The members of this team aren't part of the security staff. 他们不应有权访问 TLS/SSL 证书和 RSA 密钥等敏感数据。They shouldn't have access to sensitive data like TLS/SSL certificates and RSA keys. 仅他们部署的应用程序才应有权访问敏感数据。Only the application that they deploy should have access to sensitive data.
  • 审核员:此角色适用于不属于开发人员或一般 IT 人员的参与者。Auditors: This role is for contributors who aren't members of the development or general IT staff. 他们评审证书、密钥和机密的使用及维护,确保符合安全标准。They review the use and maintenance of certificates, keys, and secrets to ensure compliance with security standards.

还有一个超出我们应用程序范围的角色:订阅(或资源组)管理员。There's another role that's outside the scope of our application: the subscription (or resource group) administrator. 订阅管理员为安全团队设置初始访问权限。The subscription admin sets up initial access permissions for the security team. 他们通过使用具有应用程序所需资源的资源组来授予安全团队访问权限。They grant access to the security team by using a resource group that has the resources required by the application.

我们需要为角色的以下操作进行授权:We need to authorize the following operations for our roles:

安全团队Security team

  • 创建密钥保管库。Create key vaults.
  • 打开密钥保管库日志记录。Turn on Key Vault logging.
  • 添加密钥和机密。Add keys and secrets.
  • 为灾难恢复创建密钥备份。Create backups of keys for disaster recovery.
  • 设置 Key Vault 访问策略并分配角色,以便向用户和应用程序授予执行特定操作的权限。Set Key Vault access policies and assign roles to grant permissions to users and applications for specific operations.
  • 定期滚动密钥和机密。Roll the keys and secrets periodically.

开发人员和操作人员Developers and operators

  • 从安全团队获取有关启动证书和 TLS/SSL 证书(指纹)、存储密钥(机密 URI)以及用于包装/解包的 RSA 密钥(密钥 URI)的参考资料。Get references from the security team for the bootstrap and TLS/SSL certificates (thumbprints), storage key (secret URI), and RSA key (key URI) for wrap/unwrap.
  • 以编程方式开发和部署用于访问证书和机密的应用程序。Develop and deploy the application to access certificates and secrets programmatically.

审核人员Auditors

  • 查看密钥保管库日志以确认正确使用了密钥和机密且符合数据安全标准。Review the Key Vault logs to confirm proper use of keys and secrets, and compliance with data security standards.

下表总结了我们的角色和应用程序的访问权限。The following table summarizes the access permissions for our roles and application.

角色Role 管理平面权限Management plane permissions 数据平面权限 - 保管库访问策略Data plane permissions - vault access policies 数据平面权限 - Azure RBAC(预览版)Data plane permissions -Azure RBAC (preview)
安全团队Security team 密钥保管库参与者Key Vault Contributor 证书:所有操作Certificates: all operations
密钥:所有操作Keys: all operations
机密:所有操作Secrets: all operations
密钥保管库管理员(预览版)Key Vault Administrator (preview)
开发人员和 操作人员Developers and operators 密钥保管库部署权限Key Vault deploy permission

注意:此权限允许已部署的 VM 从密钥保管库提取机密。Note: This permission allows deployed VMs to fetch secrets from a key vault.
None None
审核人员Auditors None 证书:listCertificates: list
密钥:列出Keys: list
机密:列出Secrets: list

注意:此权限让审核员能够检查日志中未发出的密钥和机密的属性(标记、激活日期、到期日期)。Note: This permission enables auditors to inspect attributes (tags, activation dates, expiration dates) for keys and secrets not emitted in the logs.
密钥保管库读取者(预览版)Key Vault Reader (preview)
Azure 存储帐户Azure Storage Account NoneNone 密钥:get、list、wrapKey、unwrapKeyKeys: get, list, wrapKey, unwrapKey
密钥保管库加密服务加密Key Vault Crypto Service Encryption
应用程序Application None 机密:get、listSecrets: get, list
证书:get、listCertificates: get, list
密钥保管库读取者(预览版)、密钥保管库机密用户(预览版)Key Vault Reader (preview), Key Vault Secret User (preview)

三个团队角色需要访问其他资源的权限以及密钥保管库权限。The three team roles need access to other resources along with Key Vault permissions. 若要部署 VM(或 Azure 应用服务的 Web 应用功能),开发人员和操作人员需要部署访问权限。To deploy VMs (or the Web Apps feature of Azure App Service), developers and operators need deploy access. 审核员需要具有对存储密钥保管库日志的存储帐户的“读取”访问权限。Auditors need read access to the Storage account where the Key Vault logs are stored.

我们的示例介绍了一个简单的方案。Our example describes a simple scenario. 现实方案可能更复杂。Real-life scenarios can be more complex. 可以根据需要调整密钥保管库的权限。You can adjust permissions to your key vault based on your needs. 我们假设安全团队提供密钥和机密引用(URI 和指纹),开发运营员工在其应用程序中使用这些引用。We assumed the security team provides the key and secret references (URIs and thumbprints), which are used by the DevOps staff in their applications. 开发人员和操作员不需要任何数据平面访问权限。Developers and operators don't require any data plane access. 我们将重点放在如何保护密钥保管库上。We focused on how to secure your key vault.

备注

此示例介绍如何在生产中锁定密钥保管库访问。This example shows how Key Vault access is locked down in production. 开发人员应具有其自己的订阅或资源组,他们具有这些订阅或资源组的完整权限,可管理其用来开发应用程序的保管库、VM 和存储帐户。Developers should have their own subscription or resource group with full permissions to manage their vaults, VMs, and the storage account where they develop the application.

资源Resources

后续步骤Next steps

对 Azure Key Vault 进行身份验证Authenticate to Azure Key Vault

分配 Key Vault 访问策略Assign a Key Vault access policy

分配用于访问密钥、机密和证书的 Azure 角色Assign Azure role to access to keys, secrets, and certificates

配置 Key Vault 防火墙和虚拟网络Configure Key Vault firewalls and virtual networks