为 Service Fabric 应用程序的托管标识授予对 Azure 资源的访问权限Granting a Service Fabric application's managed identity access to Azure resources

在应用程序可以使用其托管标识访问其他资源之前,必须为该标识授予对所要访问的受保护 Azure 资源的权限。Before the application can use its managed identity to access other resources, permissions must be granted to that identity on the protected Azure resource being accessed. 授予权限通常是 Azure 服务的“控制平面”中执行的一项管理操作,该服务拥有通过 Azure 资源管理器路由的受保护资源。这会强制实施任何适用的基于角色的访问检查。Granting permissions is typically a management action on the 'control plane' of the Azure service owning the protected resource routed via Azure Resource Manager, which will enforce any applicable role-based access checking.

具体的步骤顺序取决于要访问的 Azure 资源的类型,以及用于授予权限的语言/客户端。The exact sequence of steps will then depend on the type of Azure resource being accessed, as well as the language/client used to grant permissions. 本文的余下内容假设已将用户分配的标识分配到应用程序,其中包含一些典型示例供你参考,但本主题的参考内容不可能做到详尽;有关授予权限的最新说明,请参阅相应 Azure 服务的文档。The remainder of the article assumes a user-assigned identity assigned to the application and includes several typical examples for your convenience, but it is in no way an exhaustive reference for this topic; consult the documentation of the respective Azure services for up-to-date instructions on granting permissions.

授予对 Azure 存储的访问权限Granting access to Azure Storage

可以使用 Service Fabric 应用程序的托管标识(在本例中为用户分配的标识)来检索 Azure 存储 Blob 中的数据。You can use the Service Fabric application's managed identity (user-assigned in this case) to retrieve the data from an Azure storage blob. 在 Azure 门户中使用以下步骤为标识授予所需的权限:Grant the identity the required permissions in the Azure portal with the following steps:

  1. 导航到存储帐户Navigate to the storage account
  2. 单击左侧面板中的“访问控制(IAM)”链接。Click the Access control (IAM) link in the left panel.
  3. (可选)检查现有的访问权限:在“查找”控件中选择“系统分配的托管标识”或“用户分配的托管标识”;从随后的结果列表中选择适当的标识(optional) Check existing access: select System- or User-assigned managed identity in the 'Find' control; select the appropriate identity from the ensuing result list
  4. 单击页面顶部的“+ 添加角色分配”,为应用程序的标识添加新的角色分配。Click + Add role assignment on top of the page to add a new role assignment for the application's identity. 在“角色”下面的下拉列表中,选择“存储 Blob 数据读取者”。Under Role, from the dropdown, select Storage Blob Data Reader.
  5. 在“将访问权限分配给”下面的下拉列表中,选择 User assigned managed identityIn the next dropdown, under Assign access to, choose User assigned managed identity.
  6. 接下来,确保“订阅”下拉列表中列出了正确的订阅,然后将“资源组”设置为“所有资源组”。Next, ensure the proper subscription is listed in Subscription dropdown and then set Resource Group to All resource groups.
  7. 在“选择”下,选择对应于 Service Fabric 应用程序的 UAI,然后单击“保存”。Under Select, choose the UAI corresponding to the Service Fabric application and then click Save.

对系统分配的 Service Fabric 托管标识的支持不包括 Azure 门户中的集成;如果应用程序使用系统分配的标识,则必须先找到该应用程序标识的客户端 ID,然后重复上述步骤,不过要在“查找”控件中选择 Azure AD user, group, or service principal 选项。Support for system-assigned Service Fabric managed identities does not include integration in the Azure portal; if your application uses a system-assigned identity, you will have to find first the client ID of the application's identity, and then repeat the steps above but selecting the Azure AD user, group, or service principal option in the Find control.

授予对 Azure Key Vault 的访问权限Granting access to Azure Key Vault

与访问存储类似,可以利用 Service Fabric 应用程序的托管标识来访问 Azure Key Vault。Similarly with accessing storage, you can leverage the managed identity of a Service Fabric application to access an Azure key vault. 在 Azure 门户中授予访问权限的步骤类似于上面所列的步骤,这里不再重复。The steps for granting access in the Azure portal are similar to those listed above, and won't be repeated here. 有关差异,请参考下图。Refer to the image below for differences.

Key Vault 访问策略

以下示例演示如何通过模板部署授予对保管库的访问权限;请将以下代码片段添加为模板的 resources 元素下的另一个条目。The following example illustrates granting access to a vault via a template deployment; add the snippet(s) below as another entry under the resources element of the template. 此示例演示如何为用户分配的标识类型和系统分配的标识类型分别授予访问权限 - 请选择适用的一个。The sample demonstrates access granting for both user-assigned and system-assigned identity types, respectively - choose the applicable one.

    # under 'variables':
    "variables": {
        "userAssignedIdentityResourceId" : "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedIdentityName'))]",
    }
    # under 'resources':
    {
        "type": "Microsoft.KeyVault/vaults/accessPolicies",
        "name": "[concat(parameters('keyVaultName'), '/add')]",
        "apiVersion": "2018-02-14",
        "properties": {
            "accessPolicies": [
                {
                    "tenantId": "[reference(variables('userAssignedIdentityResourceId'), '2018-11-30').tenantId]",
                    "objectId": "[reference(variables('userAssignedIdentityResourceId'), '2018-11-30').principalId]",
                    "dependsOn": [
                        "[variables('userAssignedIdentityResourceId')]"
                    ],
                    "permissions": {
                        "keys":         ["get", "list"],
                        "secrets":      ["get", "list"],
                        "certificates": ["get", "list"]
                    }
                }
            ]
        }
    },

对于系统分配的托管标识:And for system-assigned managed identities:

    # under 'variables':
    "variables": {
        "sfAppSystemAssignedIdentityResourceId": "[concat(resourceId('Microsoft.ServiceFabric/clusters/applications/', parameters('clusterName'), parameters('applicationName')), '/providers/Microsoft.ManagedIdentity/Identities/default')]"
    }
    # under 'resources':
    {
        "type": "Microsoft.KeyVault/vaults/accessPolicies",
        "name": "[concat(parameters('keyVaultName'), '/add')]",
        "apiVersion": "2018-02-14",
        "properties": {
            "accessPolicies": [
            {
                    "name": "[concat(parameters('clusterName'), '/', parameters('applicationName'))]",
                    "tenantId": "[reference(variables('sfAppSystemAssignedIdentityResourceId'), '2018-11-30').tenantId]",
                    "objectId": "[reference(variables('sfAppSystemAssignedIdentityResourceId'), '2018-11-30').principalId]",
                    "dependsOn": [
                        "[variables('sfAppSystemAssignedIdentityResourceId')]"
                    ],
                    "permissions": {
                        "secrets": [
                            "get",
                            "list"
                        ],
                        "certificates": 
                        [
                            "get", 
                            "list"
                        ]
                    }
            },
        ]
        }
    }

有关更多详细信息,请参阅保管库 - 更新访问策略For more details, please see Vaults - Update Access Policy.