Select Azure Keyvault 访问策略中的多个主体

Select multiple principals in Azure Keyvault Access Policy

虽然将托管身份添加到 Keyvault 访问策略很容易

现在有相当多的 VM 应该被授予对集群的访问权限。 select 多个托管身份添加一次并赋予它们相同的权限似乎是可能的,但我还没有设法做到这一点(ctrl + 单击,alt + 单击,selected 多个.. . 都不起作用)。我也无法在文档中找到它,但是,它在下面清楚地说明了“selected items”。我怎样才能做到这一点?

您不能一次分配多个托管标识。既不用于门户也不通过 Azure CLI。不幸的是,您将需要一个一个地分配..

通常,Azure CLI 能够完成更多的工作,但它一次只接受一个受让人。

az role assignment create --role
                          [--assignee]
                          [--assignee-object-id]
                          [--assignee-principal-type {Group, ServicePrincipal, User}]
                          [--condition]
                          [--condition-version]
                          [--description]
                          [--resource-group]
                          [--scope]
                          [--subscription]

Optional Parameters
--assignee
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--assignee-object-id
Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--assignee-principal-type
Use with --assignee-object-id to avoid errors caused by propagation latency in AAD Graph.

accepted values: Group, ServicePrincipal, User
--condition
Condition under which the user can be granted permission.

--condition-version
Version of the condition syntax. If --condition is specified without --condition-version, default to 2.0.

--description
Description of role assignment.

--resource-group -g
Use it only if the role or assignment was added at the level of a resource group.

--scope
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

--subscription
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

结帐Assign a managed identity access to a resource using Azure CLI

创建用户分配的托管标识并授予其访问密钥保管库的权限。然后将用户分配的托管标识分配给每个 VM。

blog 可能会有所帮助。