[英]How to protect Azure Service Principal in your PowerShell Code
Let's say I have my PowerShell code which takes specific actions on my Azure subscription. 假设我有PowerShell代码,该代码对Azure订阅执行特定的操作。 I understood it has to log into Azure using my Azure username or maybe an Azure Service Principal. 我知道它必须使用我的Azure用户名或Azure服务主体登录到Azure。
In my case I would like to use a Service Principal because a lot of people are going to use this code and I don't want to give everyone access into my subscription. 就我而言,我想使用服务主体,因为很多人都将使用此代码,并且我不想让所有人都可以访问我的订阅。 So I provide access only to this SP. 因此,我仅提供对此SP的访问。
I realized, to log in using a SP, I need to include the App ID and the Key in my code and if my code is compromised then someone from outside our company could also use the App ID and the Key to log in and do stuff on my subscription. 我意识到,要使用SP登录,我需要在我的代码中包含App ID和密钥,如果我的代码被盗用,那么我们公司以外的人也可以使用App ID和Key来登录并执行操作在我的订阅上。
Is there any way I could protect myself against such security risk? 我有什么办法可以保护自己免受这种安全风险的侵害? I see there is also a section on Azure AD which I can specify users/groups who can access the Service Principal (Azure App). 我看到在Azure AD上还有一个部分,我可以指定可以访问服务主体(Azure App)的用户/组。 But will it be more like a double authentication? 但这会更像双重身份验证吗? can you please point me in the right direction? 能给我指出正确的方向吗?
If you could also share with me some sample code it will be much appreciated. 如果您还可以与我分享一些示例代码,将不胜感激。
Honestly, please don't do it this way. 老实说,请不要这样。 Anyone who gains access to the certificate (if you are distributing it with your code) will also have access as the service principal to Azure. 有权访问证书的任何人(如果您随代码一起分发它)也将具有Azure的服务主体访问权限。
I'd suggest you create an Azure Automation runbook and attach a webhook to it. 我建议您创建一个Azure Automation Runbook并将Webhook附加到它。 You could then create a small html file that would execute the runbook (prompting for any parameters that you require). 然后,您可以创建一个小的html文件来执行运行手册(提示您需要的任何参数)。 This way, the users can only run the code that you setup (via webhook) and you can cycle the webhook url (by deleting it and recreating a new one) periodically. 这样,用户只能运行您设置的代码(通过webhook),并且可以定期循环webhook url(通过删除它并重新创建一个新URL)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.