堆栈内存溢出
  简体   繁体   English

如何在PowerShell代码中保护Azure Service Principal

[英]How to protect Azure Service Principal in your PowerShell Code

 原文  2017-07-27 18:01:26       powershell/ azure/ service-principal

问题描述

Let's say I have my PowerShell code which takes specific actions on my Azure subscription. 假设我有PowerShell代码,该代码对Azure订阅执行特定的操作。 I understood it has to log into Azure using my Azure username or maybe an Azure Service Principal. 我知道它必须使用我的Azure用户名或Azure服务主体登录到Azure。

In my case I would like to use a Service Principal because a lot of people are going to use this code and I don't want to give everyone access into my subscription. 就我而言,我想使用服务主体,因为很多人都将使用此代码,并且我不想让所有人都可以访问我的订阅。 So I provide access only to this SP. 因此,我仅提供对此SP的访问。

I realized, to log in using a SP, I need to include the App ID and the Key in my code and if my code is compromised then someone from outside our company could also use the App ID and the Key to log in and do stuff on my subscription. 我意识到,要使用SP登录,我需要在我的代码中包含App ID和密钥,如果我的代码被盗用,那么我们公司以外的人也可以使用App ID和Key来登录并执行操作在我的订阅上。

Is there any way I could protect myself against such security risk? 我有什么办法可以保护自己免受这种安全风险的侵害? I see there is also a section on Azure AD which I can specify users/groups who can access the Service Principal (Azure App). 我看到在Azure AD上还有一个部分,我可以指定可以访问服务主体(Azure App)的用户/组。 But will it be more like a double authentication? 但这会更像双重身份验证吗? can you please point me in the right direction? 能给我指出正确的方向吗?

If you could also share with me some sample code it will be much appreciated. 如果您还可以与我分享一些示例代码,将不胜感激。

1 个解决方案

解决方案1
 0  2017-07-27 20:56:04

Honestly, please don't do it this way. 老实说,请不要这样。 Anyone who gains access to the certificate (if you are distributing it with your code) will also have access as the service principal to Azure. 有权访问证书的任何人(如果您随代码一起分发它)也将具有Azure的服务主体访问权限。

I'd suggest you create an Azure Automation runbook and attach a webhook to it. 我建议您创建一个Azure Automation Runbook并将Webhook附加到它。 You could then create a small html file that would execute the runbook (prompting for any parameters that you require). 然后,您可以创建一个小的html文件来执行运行手册(提示您需要的任何参数)。 This way, the users can only run the code that you setup (via webhook) and you can cycle the webhook url (by deleting it and recreating a new one) periodically. 这样,用户只能运行您设置的代码(通过webhook),并且可以定期循环webhook url(通过删除它并重新创建一个新URL)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何安全/保护 Azure 服务主体机密 - How safe/protect Azure service principal secret 如何在 Powershell 中检索 Azure 服务主体的秘密 7 - How to retrieve Azure Service Principal's secret in Powershell 7 Azure 服务主体使用 PowerShell 创建新证书 - Azure Service Principal create new certificate with PowerShell Azure PowerShell 将用户或组添加到服务主体 - Azure PowerShell add User or Group to Service Principal 如何从代码中设置 Azure Active Directory 服务主体的属性? - How to set properties of Azure Active Directory service principal from code? 获取 Azure DevOps 服务连接服务主体 id 与 powershell - Get Azure DevOps service connection service principal id with powershell 如何使用 powershell 列出服务主体权限 - How to list Service principal permissions using powershell "如何使用 Azure 门户或 PowerShell 将服务主体设置为应用程序注册所有者?" - how I can make an service principal as an App Registration Owner with azure portal or PowerShell? 如何使用自动化帐户 PowerShell Runbook 重置 Azure 服务主体的凭据? - How to reset credentials of an Azure service principal using an automation account PowerShell runbook? 如何使用已注册应用程序的服务主体通过 PowerShell 模块连接到 Azure? - How do I connect to Azure through PowerShell Modules, using the Service principal of a Registered App?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM