排查 Azure 密钥保管库访问策略问题Troubleshooting Azure key vault access policy issues

常见问题Frequently asked questions

我无法列出或获取机密/密钥/证书。I am not able to list or get secrets/keys/certificate. 我看到“出现了问题。”错误。I am seeing "something went wrong.." Error.

如果在列出/获取/创建或访问机密时遇到问题,请确保已定义访问策略来执行该操作:密钥保管库访问策略If you are having problem with listing/getting/creating or accessing secret, make sure that you have access policy defined to do that operation: Key Vault Access Policies

如何确定访问密钥保管库的方式和时间?How can I identify how and when key vaults are accessed?

在创建一个或多个 Key Vault 之后,可能需要监视 Key Vault 的访问方式、时间和访问者。After you create one or more key vaults, you'll likely want to monitor how and when your key vaults are accessed, and by whom. 可以通过为 Azure 密钥保管库启用日志记录执行监视,有关启用日志记录的分步指南,请了解详细信息You can do monitoring by enabling logging for Azure Key Vault, for step-by-step guide to enable logging, read more.

如何监视保管库可用性、服务延迟周期或密钥保管库的其他性能指标?How can I monitor vault availability, service latency periods or other performance metrics for key vault?

当你开始缩放服务时,发送到密钥保管库的请求数量将会增加。As you start to scale your service, the number of requests sent to your key vault will rise. 此类需求有可能会增加请求的延迟,并且在极端情况下,可能会导致请求受到限制,从而影响服务的性能。Such demand has a potential to increase the latency of your requests and in extreme cases, cause your requests to be throttled which will impact the performance of your service. 你可以监视密钥保管库性能指标,并获得特定阈值的警报,有关配置监视的分步指南,请了解详细信息You can monitor key vault performance metrics and get alerted for specific thresholds, for step-by-step guide to configure monitoring, read more.

我无法修改访问策略,如何启用它?I am not able to modify access policy, how can it be enabled?

用户需要有足够的 AAD 权限才能修改访问策略。The user needs to have sufficient AAD permissions to modify access policy. 在这种情况下,用户需要具有更高级的参与者角色。In this case, the user would need to have higher contributor role.

我看到“未知策略”错误。I am seeing 'Unknown Policy' error. 这是什么意思?What does that mean?

在“未知”部分中看到访问策略,可能有两种不同的情况:There are two different possibilities of seeing access policy in Unknown section:

  • 可能有以前的用户具有访问权限,而由于某种原因,该用户已不存在。There might be a previous user who had access and for some reason that user does not exist.
  • 如果通过 powershell 添加了访问策略,并为应用程序 objectid 而不是服务主体添加了访问策略。If access policy is added via powershell and the access policy is added for the application objectid instead of the service principal.

如何为每个密钥保管库对象分配访问控制?How can I assign access control per key vault object?

将在此处通知每个机密/密钥/证书访问控制功能的可用性。了解详细信息Per-secret/key/certificate access control feature's availability will be notified here, read more

如何使用访问控制策略提供密钥保管库身份验证?How can I provide key vault authenticate using access control policy?

向密钥保管库对基于云的应用程序进行身份验证的最简单方法是使用托管标识;有关详细信息,请参阅向 Azure 密钥保管库进行身份验证The simplest way to authenticate a cloud-based application to Key Vault is with a managed identity; see Authenticate to Azure Key Vault for details. 创建本地应用程序、执行本地开发或者无法使用托管标识时,可以改为手动注册服务主体,并使用访问控制策略提供对 Key Vault 的访问权限。If you are creating an on-prem application, doing local development, or otherwise unable to use a managed identity, you can instead register a service principal manually and provide access to your key vault using an access control policy. 请参阅分配访问控制策略See Assign an access control policy.

如何为 AD 组授予对密钥保管库的访问权限?How can I give the AD group access to the key vault?

使用 Azure CLI az keyvault set-policy 命令或 Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet,向 AD 组授予对密钥保管库的权限。Give the AD group permissions to your key vault using the Azure CLI az keyvault set-policy command, or the Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet. 请参阅分配访问策略 - CLI分配访问策略 - PowerShellSee Assign an access policy - CLI and Assign an access policy - PowerShell.

应用程序还需要将至少一个标识和访问管理 (IAM) 角色分配给密钥保管库。The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault. 否则,它将无法登录并且会失败,因为没有足够权限来访问订阅。Otherwise it will not be able to login and will fail with insufficient rights to access the subscription. 具有托管标识的 Azure AD 组可能最多需要 8 小时才能刷新令牌并生效。Azure AD Groups with Managed Identities may require up to eight hours to refresh tokens and become effective.

如何在不删除现有访问策略的情况下,使用 ARM 模板重新部署 Key Vault?How can I redeploy Key Vault with ARM template without deleting existing access policies?

目前,重新部署密钥保管库会删除密钥保管库中的所有访问策略,并将其替换为 ARM 模板中的访问策略。Currently Key Vault redeployment deletes any access policy in Key Vault and replace them with access policy in ARM template. Key Vault 访问策略没有增量选项。There is no incremental option for Key Vault access policies. 若要在 Key Vault 中保留访问策略,需要读取 Key Vault 中现有的访问策略,并使用这些策略填充 ARM 模板以避免任何访问中断。To preserve access policies in Key Vault, you need to read existing access policies in Key Vault and populate ARM template with those policies to avoid any access outages.

有助于此方案的另一种方法是将 Azure RBAC 和角色用作访问策略的替代方法。Another option that can help for this scenario is using Azure RBAC and roles as an alternative to access policies. 通过 Azure RBAC,无需再次指定策略即可重新部署密钥保管库。With Azure RBAC, you can re-deploy the key vault without specifying the policy again. 可在此处详细了解此解决方案。You can read more this solution here.

如果密钥保管库受到限制,我应该实施哪些最佳做法?What are the best practices I should implement when key vault is getting throttled?

请遵循此处记录的最佳做法Follow the best practices, documented here

后续步骤Next Steps

了解如何对密钥保管库身份验证错误进行故障排除:密钥保管库故障排除指南Learn how to troubleshoot key vault authentication errors: Key Vault Troubleshooting Guide.