使用访问控制策略提供 Key Vault 身份验证Provide Key Vault authentication with an access control policy

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

在 Key Vault 中对基于云的应用程序进行身份验证的最简单方法是使用托管标识;有关详细信息,请参阅使用应用服务托管标识访问 Azure Key VaultThe simplest way to authenticate a cloud-based application to Key Vault is with a managed identity; see Use an App Service managed identity to access Azure Key Vault for details. 创建本地应用程序、执行本地开发或者无法使用托管标识时,可以改为手动注册服务主体,并使用访问控制策略提供对 Key Vault 的访问权限。If you are creating an on-prem application, doing local development, or otherwise unable to use a managed identity, you can instead register a service principal manually and provide access to your key vault using an access control policy.

Key Vault 最多支持 1024 个访问策略条目,每个条目可向“主体”授予一组不同的权限: 例如,这是适用于 .NET 的 Azure Key Vault 客户端库快速入门中的控制台应用访问 Key Vault 的方式。Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a "principal": For example, this is how the console app in the Azure Key Vault client library for .NET quickstart accesses the key vault.

有关 Key Vault 访问控制的完整详细信息,请参阅 Azure Key Vault 安全性:标识和访问管理For full details on Key Vault access control, see Azure Key Vault security: Identity and access management. 有关密钥、机密和证书访问控制的完整详细信息,请参阅:For full details on Keys, Secrets, and Certificates access control, see:

先决条件Prerequisites

授予对 Key Vault 的访问权限Grant access to your key vault

每个 Key Vault 访问策略条目向主体授予一组不同的权限:Each key vault access policy entry grants a distinct set of permissions to a principal:

  • 应用程序。如果应用程序基于云,则在可能的情况下,你应该改为使用托管标识来访问 Azure Key VaultAn application If the application is cloud-based, you should instead Use an managed identity to access Azure Key Vault, if possible
  • Azure AD 组。尽管 Key Vault 仅支持 1024 个访问策略条目,但你可以将多个应用程序和用户添加到一个 Azure AD 组,然后将该组作为单个条目添加到访问控制策略。An Azure AD group Although key vault only supports 1024 access policy entries, you can add multiple applications and users to a single Azure AD group, and then add that group as a single entry to your access control policy.
  • 用户不建议为用户授予对 Key Vault 的直接访问权限。A User Giving users direct access to a key vault is discouraged. 理想情况下,应将用户添加到 Azure AD 组,然后为该组授予对 Key Vault 的访问权限。Ideally, users should be added to an Azure AD group, which is in turn given access to the key vault. 请参阅 Azure Key Vault 安全性:标识和访问管理See Azure Key Vault security: Identity and access management.

获取 objectIDGet the objectID

若要为应用程序、Azure AD 组或用户授予对 Key Vault 的访问权限,首先必须获取其 objectId。To give an application, Azure AD group, or user access to your key vault, you must first obtain its objectId.

应用程序Applications

应用程序的 objectId 对应于其关联的服务主体。The objectId for an applications corresponds with its associated service principal. 有关服务主体的完整详细信息,For full details on service principals. 请参阅 Azure Active Directory 中的应用程序对象和服务主体对象see Application and service principal objects in Azure Active Directory.

可通过两种方式获取应用程序的 objectId。There are two ways to obtain an objectId for an application. 第一种方式是将应用程序注册到 Azure Active Directory。The first is to register your application with Azure Active Directory. 为此,请遵循快速入门将应用程序注册到 Microsoft 标识平台中的步骤。To do so, follow the steps in the quickstart Register an application with the Microsoft identity platform. 完成注册后,objectID 将作为“应用程序(客户端) ID”列出。When registration is complete, the objectID will be listed as the "Application (client) ID".

第二种方式是在终端窗口中创建服务主体。The second is to create a service principal in a terminal window. 在 Azure CLI 中使用 az ad sp create-for-rbac 命令。With the Azure CLI, use the az ad sp create-for-rbac command.

az ad sp create-for-rbac -n "http://mySP"

objectId 将在输出中作为 clientID 列出。The objectId will be listed in the output as clientID.

在 Azure PowerShell 中使用 New-AzADServicePrincipal cmdlet。With Azure PowerShell, use the New-AzADServicePrincipal cmdlet.

New-AzADServicePrincipal -DisplayName mySP

objectId 将在输出中作为 Id(而不是 ApplicationId)列出。The objectId will be listed in the output as Id (not ApplicationId).

Azure AD 组Azure AD Groups

可将多个应用程序和用户添加到某个 Azure AD 组,然后为该组授予对 Key Vault 的访问权限。You can add multiple applications and users to an Azure AD group, and then give the group access to your key vault. 有关更多详细信息,请参阅下面的创建成员并将其添加到 Azure AD 组部分。For more details, see the Creating and adding members to an Azure AD group section, below.

若要使用 Azure CLI 查找 Azure AD 组的 objectId,请使用 az ad group list 命令。To find the objectId of an Azure AD group with the Azure CLI, use the az ad group list command. 由于组织中可能存在大量的组,因此还应在 --display-name 参数中提供一个搜索字符串。Because of the large number of groups that may be in your organization, you should also provide a search string to the --display-name parameter.

az ad group list --displayname <search-string>

objectId 将在 JSON 中返回:The objectId will be returned in the JSON:

    "objectId": "48b21bfb-74d6-48d2-868f-ff9eeaf38a64",
    "objectType": "Group",
    "odata.type": "Microsoft.DirectoryServices.Group",

若要使用 Azure PowerShell 查找 Azure AD 组的 objectId,请使用 Get-AzADGroup cmdlet。To find the objectId of an Azure AD group with Azure PowerShell, use the Get-AzADGroup cmdlet. 由于组织中可能存在大量的组,因此你可能需要在 -SearchString 参数中提供一个搜索字符串。Because of the large number of groups that may be in your organization, you will probably wish to also provide a search string to the -SearchString parameter.

Get-AzADGroup -SearchString <search-string>

在输出中,objectId 作为 Id 列出:In the output, the objectId is listed as Id:

...
Id                    : 1cef38c4-388c-45a9-b5ae-3d88375e166a
...

用户Users

还可以将单个用户添加到 Key Vault 的访问控制策略。You can also add an individual user to an key vault's access control policy. 我们不建议这样做。We do not recommend this. 我们建议将用户添加到某个 Azure AD 组,然后将该组添加到策略中。We instead encourage you to add users to an Azure AD group, and add the group on the policies.

如果你依然想要使用 Azure CLI 查找用户,请使用 az ad user show 命令,并将用户的电子邮件地址传递到 --id 参数。If you nonetheless wish to find a user with the Azure CLI, use the az ad user show command, passing the users email address to the --id parameter.

az ad user show --id <email-address-of-user>

用户的 objectId 将在输出中返回:The user's objectId will be returned in the output:

  ...
  "objectId": "f76a2a6f-3b6d-4735-9abd-14dccbf70fd9",
  "objectType": "User",
  ...

若要使用 Azure PowerShell 查找用户,请使用 Get-AzADUser cmdlet,并将用户的电子邮件地址传递到 -UserPrincipalName 参数。To find a user with Azure PowerShell, use the Get-AzADUser cmdlet, passing the users email address to the -UserPrincipalName parameter.

 Get-AzAdUser -UserPrincipalName <email-address-of-user>

用户的 objectId 将在输出中作为 Id 返回:The user's objectId will be returned in the output as Id.

...
Id                : f76a2a6f-3b6d-4735-9abd-14dccbf70fd9
Type              :

为主体授予对 Key Vault 的访问权限Give the principal access to your key vault

获取主体的 objectID 后,可为 Key Vault 创建一个访问策略,以便为该主体授予对密钥和机密的获取、列出、设置和删除权限,以及所需的任何其他权限。Now that you have an objectID of your principal, you can create an access policy for your key vault that gives it get, list, set, and delete permissions for both keys and secrets, plus any additional permissions you wish.

在 Azure CLI 中,可以通过将 objectId 传递到 az keyvault set-policy 命令来实现此目的。With the Azure CLI, this is done by passing the objectId to the az keyvault set-policy command.

az keyvault set-policy -n <your-unique-keyvault-name> --spn <ApplicationID-of-your-service-principal> --secret-permissions get list set delete --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey

在 Azure PowerShell 中,可以通过将 objectId 传递到 Set-AzKeyVaultAccessPolicy cmdlet 来实现此目的。With Azure PowerShell, this is done by passing the objectId to the Set-AzKeyVaultAccessPolicy cmdlet.

Set-AzKeyVaultAccessPolicy –VaultName <your-key-vault-name> -PermissionsToKeys create,decrypt,delete,encrypt,get,list,unwrapKey,wrapKey -PermissionsToSecrets get,list,set,delete -ApplicationId <Id>

创建成员并将其添加到 Azure AD 组Creating and adding members to an Azure AD group

可以创建一个 Azure AD 组,将应用程序和用户添加到该组,然后为该组授予对 Key Vault 的访问权限。You can create an Azure AD group, add applications and users to the group, and give the group access to your key vault. 这样,就可以将多个应用程序作为单个访问策略条目添加到 Key Vault,而无需为用户授予对 Key Vault 的直接访问权限(我们不建议这样做)。This allows you to add a number of applications to a key vault as a single access policy entry, and eliminates the need to give users direct access to your key vault (which we discourage). 有关更多详细信息,请参阅使用 Azure Active Directory 组管理应用和资源访问For more details, see Manage app and resource access using Azure Active Directory groups.

其他先决条件Addition prerequisites

除了上述先决条件以外,还需要拥有在 Azure Active Directory 租户中创建/编辑组的权限。In addition to the prerequisites above, you will need permissions to create/edit groups in your Azure Active Directory tenant. 如果没有权限,则可能需要与 Azure Active Directory 管理员联系。If you don't have permissions, you may need to contact your Azure Active Directory administrator.

若要使用 PowerShell,还需要安装 Azure AD PowerShell 模块If you intend to use PowerShell, you will also need the Azure AD PowerShell module

创建 Azure Active Directory 组Create an Azure Active Directory group

使用 Azure CLI az ad group create 命令或 Azure PowerShell New-AzureADGroup cmdlet 创建新的 Azure Active Directory 组。Create a new Azure Active Directory group using the Azure CLI az ad group create command, or the Azure PowerShell New-AzureADGroup cmdlet.

az ad group create --display-name <your-group-display-name> --mail-nickname <your-group-mail-nickname>
New-AzADGroup -DisplayName <your-group-display-name> -MailNickName <your-group-mail-nickname>

无论使用哪种方式,都请记下新建组的 GroupId,因为在后面的步骤中需要用到。In either case, make note on the newly created groups GroupId, as you will need it for the steps below.

查找应用程序和用户的 objectIdFind the objectIds of your applications and users

可以在 Azure CLI 中结合 --show-mine 参数使用 az ad sp list 命令查找应用程序的 objectId。You can find the objectIds of your applications using the Azure CLI with the az ad sp list command, with the --show-mine parameter.

az ad sp list --show-mine

在 Azure PowerShell 中,可以使用 Get-AzADServicePrincipal cmdlet 并将搜索字符串传递到 -SearchString 参数来查找应用程序的 objectId。Find the objectIds of your applications using Azure PowerShell with the Get-AzADServicePrincipal cmdlet, passing a search string to the -SearchString parameter.

Get-AzADServicePrincipal -SearchString <search-string>

若要查找用户的 objectId,请遵循前面用户部分中的步骤。To find the objectIds of your Users, follow the steps in the Users section, above.

将应用程序和用户添加到组中Add your applications and users to the group

现在,请将 objectId 添加到新建的 Azure AD 组。Now, add the objectIds to your newly created Azure AD group.

在 Azure CLI 中,请使用 az ad group member add 并将 objectId 传递到 --member-id 参数。With the Azure CLI, use the az ad group member add, passing the objectId to the --member-id parameter.

az ad group member add -g <groupId> --member-id <objectId>

在 Azure PowerShell 中,请使用 Add-AzADGroupMember cmdlet,并将 objectId 传递到 -MemberObjectId 参数。With Azure PowerShell, use the Add-AzADGroupMember cmdlet, passing the objectId to the -MemberObjectId parameter.

Add-AzADGroupMember -TargetGroupObjectId <groupId> -MemberObjectId <objectId> 

为 AD 组授予对 Key Vault 的访问权限Give the AD group access to your key vault

最后,使用 Azure CLI az keyvault set-policy 命令或 Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet,为 AD 组授予对 Key Vault 的权限。Lastly, give the AD group permissions to your key vault using the Azure CLI az keyvault set-policy command, or the Azure PowerShell Set-AzKeyVaultAccessPolicy cmdlet. 有关示例,请参阅前面的为应用程序、Azure AD 组或用户授予对 Key Vault 的访问权限For examples, see the Give the application, Azure AD group, or user access to your key vault section, above.

应用程序还需要将至少一个标识和访问管理 (IAM) 角色分配给密钥保管库。The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault. 否则,它将无法登录并且会失败,因为没有足够权限来访问订阅。Otherwise it will not be able to login and will fail with insufficient rights to access the subscription.

后续步骤Next steps