授予多个应用程序访问密钥保管库的权限

访问控制策略可用于授予多个应用程序访问密钥保管库的权限。 访问控制策略最多可支持 1024 个应用程序,且其配置过程如下:

  1. 创建一个 Azure Active Directory 安全组。
  2. 将应用程序的所有关联服务主体添加到安全组。
  3. 授予安全组访问 Key Vault 的权限。

以下是先决条件:

接下来,在 PowerShell 中运行以下命令。

# Connect to Azure AD 
Connect-AzureAD -AzureEnvironment AzureChinaCloud 

# Create Azure Active Directory Security Group 
$aadGroup = New-AzureADGroup -Description "Contoso App Group" -DisplayName "ContosoAppGroup" -MailEnabled 0 -MailNickName none -SecurityEnabled 1 

# Find and add your applications (ServicePrincipal ObjectID) as members to this group 
$spn = Get-AzureADServicePrincipal –SearchString "ContosoApp1" 
Add-AzureADGroupMember –ObjectId $aadGroup.ObjectId -RefObjectId $spn.ObjectId 

# You can add several members to this group, in this fashion. 

# Set the Key Vault ACLs 
Set-AzureRmKeyVaultAccessPolicy –VaultName ContosoVault –ObjectId $aadGroup.ObjectId `
-PermissionsToKeys decrypt,encrypt,unwrapKey,wrapKey,verify,sign,get,list,update,create,import,delete,backup,restore,recover,purge `
–PermissionsToSecrets get,list,set,delete,backup,restore,recover,purge `
–PermissionsToCertificates get,list,delete,create,import,update,managecontacts,getissuers,listissuers,setissuers,deleteissuers,manageissuers,recover,purge,backup,restore `
-PermissionsToStorage get,list,delete,set,update,regeneratekey,getsas,listsas,deletesas,setsas,recover,backup,restore,purge 

# Of course you can adjust the permissions as required 

如果需要为一组应用程序授予一组不同的权限,请为此类应用程序创建单独的 Azure Active Directory 安全组。

后续步骤

深入了解如何保护密钥保管库