如何找到 operations/permissions 我的 Azure 服务主体需要什么
How to find what operations/permissions my Azure Service Principal needs
我正在尝试使用最低权限锁定我的 Azure 服务主体。这可以通过 creating custom roles 来完成。但是在定义自定义角色时,我如何知道给定任务需要执行哪些操作?例如,如果自动化帐户需要在 powershell 脚本(Get-AzureKeyVaultSecret、New-AzureRmContainerGroup、Get-AzureRmContext 等)中运行多个 AzureRm cmdlet,我如何找出每个命令执行的 "Actions"?
Get-AzureRMProviderOperation * 列出了所有可用的操作(当前呈现 2969 的列表——要排序的数字有点多)。我如何确定我需要哪些?
例如,如果您想使用 Azure 自动化帐户来 运行 运行预订命令
Get-AzureKeyVaultSecret,我们应该像这样给 SP 权限:
Microsoft Authorization:
Microsoft Automation: Microsoft.Automation/automationAccounts/runbooks/read
Microsoft.KeyVault 需要这些权限:
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/secrets/read
Microsoft.KeyVault/vaults/accessPolicies/write
通常情况下,我们可以为每个提供商设置角色。例如Microsoft.KeyVault,我们希望SP可以更新key vault或者读取secrets,我们可以加上Microsoft.KeyVault/vaults/write和Microsoft.KeyVault/vaults/secrets/read和Microsoft.KeyVault/vaults/read.
PS C:\Users\jason> Get-AzureRmProviderOperation * | ?{ $_.ProviderNamespace -eq 'Microsoft Key Vault' } | select Operation, OperationName
Operation OperationName
--------- -------------
Microsoft.KeyVault/register/action Register Subscription
Microsoft.KeyVault/unregister/action Unregister Subscription
Microsoft.KeyVault/hsmPools/read View HSM pool
Microsoft.KeyVault/hsmPools/write Create or Update HSM pool
Microsoft.KeyVault/hsmPools/delete Delete HSM pool
Microsoft.KeyVault/hsmPools/joinVault/action Join KeyVault to HSM pool
Microsoft.KeyVault/checkNameAvailability/read Check Name Availability
Microsoft.KeyVault/vaults/read View Key Vault
Microsoft.KeyVault/vaults/write Update Key Vault
Microsoft.KeyVault/vaults/delete Delete Key Vault
Microsoft.KeyVault/vaults/deploy/action Use Vault for Azure Deployments
Microsoft.KeyVault/vaults/secrets/read View Secret Properties
Microsoft.KeyVault/vaults/secrets/write Update Secret
Microsoft.KeyVault/vaults/accessPolicies/write Update Access Policy
Microsoft.KeyVault/operations/read Available Key Vault Operations
Microsoft.KeyVault/deletedVaults/read View Soft Deleted Vaults
Microsoft.KeyVault/locations/operationResults/read Check Operation Result
Microsoft.KeyVault/locations/deletedVaults/read View Soft Deleted Key Vault
Microsoft.KeyVault/locations/deletedVaults/purge/action Purge Soft Deleted Key Vault
完成后,我们可以将此角色分配给您想要Get-AzureKeyVaultSecret的SP。我们可以为一个 SP 分配多个角色。
注意:
每个服务主体都需要 Microsoft Authorization 权限,否则此 SP 将无法登录到 Azure。
通常,Azure PowerShell 命令 Get 需要读取权限,New、set 和 Update 需要写入权限。
希望这对您有所帮助:)
我正在尝试使用最低权限锁定我的 Azure 服务主体。这可以通过 creating custom roles 来完成。但是在定义自定义角色时,我如何知道给定任务需要执行哪些操作?例如,如果自动化帐户需要在 powershell 脚本(Get-AzureKeyVaultSecret、New-AzureRmContainerGroup、Get-AzureRmContext 等)中运行多个 AzureRm cmdlet,我如何找出每个命令执行的 "Actions"?
Get-AzureRMProviderOperation * 列出了所有可用的操作(当前呈现 2969 的列表——要排序的数字有点多)。我如何确定我需要哪些?
例如,如果您想使用 Azure 自动化帐户来 运行 运行预订命令
Get-AzureKeyVaultSecret,我们应该像这样给 SP 权限:
Microsoft Authorization:
Microsoft Automation: Microsoft.Automation/automationAccounts/runbooks/read
Microsoft.KeyVault 需要这些权限:
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/secrets/read
Microsoft.KeyVault/vaults/accessPolicies/write
通常情况下,我们可以为每个提供商设置角色。例如Microsoft.KeyVault,我们希望SP可以更新key vault或者读取secrets,我们可以加上Microsoft.KeyVault/vaults/write和Microsoft.KeyVault/vaults/secrets/read和Microsoft.KeyVault/vaults/read.
PS C:\Users\jason> Get-AzureRmProviderOperation * | ?{ $_.ProviderNamespace -eq 'Microsoft Key Vault' } | select Operation, OperationName
Operation OperationName
--------- -------------
Microsoft.KeyVault/register/action Register Subscription
Microsoft.KeyVault/unregister/action Unregister Subscription
Microsoft.KeyVault/hsmPools/read View HSM pool
Microsoft.KeyVault/hsmPools/write Create or Update HSM pool
Microsoft.KeyVault/hsmPools/delete Delete HSM pool
Microsoft.KeyVault/hsmPools/joinVault/action Join KeyVault to HSM pool
Microsoft.KeyVault/checkNameAvailability/read Check Name Availability
Microsoft.KeyVault/vaults/read View Key Vault
Microsoft.KeyVault/vaults/write Update Key Vault
Microsoft.KeyVault/vaults/delete Delete Key Vault
Microsoft.KeyVault/vaults/deploy/action Use Vault for Azure Deployments
Microsoft.KeyVault/vaults/secrets/read View Secret Properties
Microsoft.KeyVault/vaults/secrets/write Update Secret
Microsoft.KeyVault/vaults/accessPolicies/write Update Access Policy
Microsoft.KeyVault/operations/read Available Key Vault Operations
Microsoft.KeyVault/deletedVaults/read View Soft Deleted Vaults
Microsoft.KeyVault/locations/operationResults/read Check Operation Result
Microsoft.KeyVault/locations/deletedVaults/read View Soft Deleted Key Vault
Microsoft.KeyVault/locations/deletedVaults/purge/action Purge Soft Deleted Key Vault
完成后,我们可以将此角色分配给您想要Get-AzureKeyVaultSecret的SP。我们可以为一个 SP 分配多个角色。
注意:
每个服务主体都需要 Microsoft Authorization 权限,否则此 SP 将无法登录到 Azure。
通常,Azure PowerShell 命令 Get 需要读取权限,New、set 和 Update 需要写入权限。
希望这对您有所帮助:)