您可以限制 keys/secrets 用户可以访问 Azure Key Vault 中的哪些内容吗?
Can you restrict which keys/secrets a user can access in an Azure Key Vault?
我正在 Azure 中配置 Key Vault。我希望授予开发团队权限,使其能够访问和创建此保管库中的密钥、机密和证书,但无权访问保管库中的所有密钥、机密和证书。这可能吗?我是否需要一个单独的密钥保管库和单独的 permissions/access 策略?
谢谢!
不,你不能。但是您可以根据需要创建任意数量的 KeyVauls :)
Important
Key Vault access policies don't support granular, object-level
permissions like a specific key, secret, or certificate. When a user
is granted permission to create and delete keys, they can perform
those operations on all keys in that key vault.
Azure 开发测试实验室执行此操作。当您创建一个实验室时,它会为每个用户创建一个 KV,因此您可以在权限上有粒度。
[编辑]
此功能可能会在不久的将来推出。请继续关注 ;)
其他人在看,请参考。我不是作者或任何人,只是发布我认为有用的内容
We implemented Azure RBAC for Key Vault Data Plane, which will allow
creating role assignment on individual key, secret, certificate as
scope.
Our best practices is to have one Key Vault per application, per
region, per environment to provide complete isolation and avoid blast
radius in case of a failure. Consolidation of key vaults is not
recommended and Key Vault service will not scale that way. Important
limitations to consider - Azure RBAC max 2000 role assignments per
subscription and Key Vault max 2000 operations within 10 seconds.
Documentation:
https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide
我正在 Azure 中配置 Key Vault。我希望授予开发团队权限,使其能够访问和创建此保管库中的密钥、机密和证书,但无权访问保管库中的所有密钥、机密和证书。这可能吗?我是否需要一个单独的密钥保管库和单独的 permissions/access 策略?
谢谢!
不,你不能。但是您可以根据需要创建任意数量的 KeyVauls :)
Important
Key Vault access policies don't support granular, object-level permissions like a specific key, secret, or certificate. When a user is granted permission to create and delete keys, they can perform those operations on all keys in that key vault.
Azure 开发测试实验室执行此操作。当您创建一个实验室时,它会为每个用户创建一个 KV,因此您可以在权限上有粒度。
[编辑]
此功能可能会在不久的将来推出。请继续关注 ;)
其他人在看,请参考。我不是作者或任何人,只是发布我认为有用的内容
We implemented Azure RBAC for Key Vault Data Plane, which will allow creating role assignment on individual key, secret, certificate as scope.
Our best practices is to have one Key Vault per application, per region, per environment to provide complete isolation and avoid blast radius in case of a failure. Consolidation of key vaults is not recommended and Key Vault service will not scale that way. Important limitations to consider - Azure RBAC max 2000 role assignments per subscription and Key Vault max 2000 operations within 10 seconds.
Documentation: https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide