限制对 Azure Key Vault 的访问
[英]Limiting access to azure key vault
问题描述
I want to create an Azure key vault with fairly restricted access (one or two of our apps).
我想创建一个访问权限相当受限的 Azure 密钥保管库(我们的一两个应用程序)。 I've created the Key Vault through the Azure portal, but when I look at the Access Control section, I find that several Apps and Users have the Contributor role (inherited from the subscription) for the key vault, which gives them more access than they should have.我已经通过 Azure 门户创建了 Key Vault,但是当我查看“访问控制”部分时,我发现多个应用程序和用户具有 Key Vault 的贡献者角色(从订阅继承),这为他们提供了更多的访问权限他们应该有。
Since the subscription is the highest level at which access control can be set, there is no way for me to revoke access for these apps/users without revoking it at the subscription level, and this would probably cause all sorts of problems.由于订阅是可以设置访问控制的最高级别,因此我无法在不撤消订阅级别的情况下撤消这些应用程序/用户的访问权限,这可能会导致各种问题。 (it's not really clear what permissions these need, so it'd be a bit painful to have to give those permissions at a resource group or resource level). (不太清楚这些需要什么权限,因此必须在资源组或资源级别授予这些权限会有点痛苦)。 What's more, there'd be nothing stopping someone who comes along later from adding contributor roles at the subscription level (for some new app, for instance), and breaking the security of the key vault.更重要的是,没有什么可以阻止后来出现的人在订阅级别添加贡献者角色(例如,对于某些新应用程序),并破坏密钥库的安全性。
So with all of this in mind, what would be the best way to limit access to an azure key vault, so that only the apps/users I want have access to it, despite the fact that several apps/users already have these permissions at the subscription level?因此,考虑到所有这些,限制对 Azure Key Vault 的访问的最佳方法是什么,以便只有我想要的应用程序/用户才能访问它,尽管事实上有几个应用程序/用户已经在以下位置拥有这些权限订阅级别?
More info: We're using the Azure Resource Manager model, and everything is currently stored in one subscription.更多信息:我们使用 Azure 资源管理器模型,所有内容当前都存储在一个订阅中。
2 个解决方案
解决方案1
2 已采纳 2018-10-05 06:43:22
It looks like you can not achieve this with the way RBAC works today.看起来您无法以今天的 RBAC 工作方式实现这一目标。
Here are a couple of feedback requests already running on Feedback Forums - https://feedback.azure.com .以下是一些已经在反馈论坛上运行的反馈请求 - https://feedback.azure.com 。 One is for Key Vault and another takes the example of a storage account but essentially looking for the same feature to override the inherited permissions.一个用于 Key Vault,另一个以存储帐户为例,但本质上是在寻找相同的功能来覆盖继承的权限。
You may want to vote up for these requests.您可能希望为这些请求投票。
Deny users with inherited permissions to Azure Key Vault Service from modifying Access Policies
拒绝具有 Azure Key Vault Service 继承权限的用户修改访问策略Exclude / override RBAC permissions inhereted from a subscription at a resource group level
在资源组级别排除/覆盖从订阅继承的 RBAC 权限
UPDATE (to answer additional queries from comments):更新(回答来自评论的其他查询):
Not granting subscription-level access in the first place (except to admins)
Yes this would definitely help.是的,这肯定会有所帮助。
Another suggestion would be to try and use Resource Groups to organize your resources and then assign roles on these Resource Groups (scope).另一个建议是尝试使用资源组来组织您的资源,然后在这些资源组(范围)上分配角色。 This way, you don't need to give access to individual items, but at the same time you can avoid giving access at the highest level of subscription.这样,您无需授予对单个项目的访问权限,但同时可以避免授予最高订阅级别的访问权限。
解决方案2
0 2021-11-10 10:03:24
An option you have is to create a blueprint that you can use to configure locks on your keyvaults.您可以选择创建一个蓝图,您可以使用该蓝图来配置密钥库上的锁。 If you deploy this BP as readonly the locks can't be removed from your vault so no-one can alter te permissions of your vault until you change the blueprint config again to don't lock and then remove the lock from your vault.如果您将此 BP 部署为只读,则无法从保险库中移除锁定,因此在您再次将蓝图配置更改为不锁定,然后从保险库中移除锁定之前,没有人可以更改保险库的权限。
Applications etc having access to your vault (aka dataplane) de still access the keys ofcource可以访问您的保管库(又名数据平面)的应用程序等仍然可以访问源代码
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.