3

我正在尝试以最低权限锁定我的 Azure 服务主体。这可以通过创建自定义角色来完成。但是在定义自定义角色时,我如何知道给定任务需要哪些操作?例如,如果自动化帐户需要在 powershell 脚本(、、、等)中运行多个 AzureRm cmdlet,我如何找出每个命令执行的“操作”?Get-AzureKeyVaultSecretNew-AzureRmContainerGroupGet-AzureRmContext

Get-AzureRMProviderOperation *列出所有可用的操作(当前呈现 2969 的列表 - 一个稍微压倒性的数字来排序)。我如何确定我需要哪些?

4

1 回答 1

3

例如,如果您想使用 Azure 自动化帐户运行 runbook 命令
Get-AzureKeyVaultSecret,我们应该授予该 SP 权限,例如:

Microsoft Authorization: :在此处输入图像描述 Microsoft AutomationMicrosoft.Automation/automationAccounts/runbooks/read

Microsoft.KeyVault需要这些权限:

Microsoft.KeyVault/vaults/read 
Microsoft.KeyVault/vaults/secrets/read
Microsoft.KeyVault/vaults/accessPolicies/write

通常,我们可以为每个提供者设置角色。例如Microsoft.KeyVault,我们希望 SP 可以更新密钥库或读取机密,我们可以添加Microsoft.KeyVault/vaults/writeandMicrosoft.KeyVault/vaults/secrets/readMicrosoft.KeyVault/vaults/read

PS C:\Users\jason> Get-AzureRmProviderOperation * | ?{ $_.ProviderNamespace -eq 'Microsoft Key Vault' } | select Operation, OperationName

Operation                                               OperationName
---------                                               -------------
Microsoft.KeyVault/register/action                      Register Subscription
Microsoft.KeyVault/unregister/action                    Unregister Subscription
Microsoft.KeyVault/hsmPools/read                        View HSM pool
Microsoft.KeyVault/hsmPools/write                       Create or Update HSM pool
Microsoft.KeyVault/hsmPools/delete                      Delete HSM pool
Microsoft.KeyVault/hsmPools/joinVault/action            Join KeyVault to HSM pool
Microsoft.KeyVault/checkNameAvailability/read           Check Name Availability
Microsoft.KeyVault/vaults/read                          View Key Vault
Microsoft.KeyVault/vaults/write                         Update Key Vault
Microsoft.KeyVault/vaults/delete                        Delete Key Vault
Microsoft.KeyVault/vaults/deploy/action                 Use Vault for Azure Deployments
Microsoft.KeyVault/vaults/secrets/read                  View Secret Properties
Microsoft.KeyVault/vaults/secrets/write                 Update Secret
Microsoft.KeyVault/vaults/accessPolicies/write          Update Access Policy
Microsoft.KeyVault/operations/read                      Available Key Vault Operations
Microsoft.KeyVault/deletedVaults/read                   View Soft Deleted Vaults
Microsoft.KeyVault/locations/operationResults/read      Check Operation Result
Microsoft.KeyVault/locations/deletedVaults/read         View Soft Deleted Key Vault
Microsoft.KeyVault/locations/deletedVaults/purge/action Purge Soft Deleted Key Vault

完成后,我们可以将此角色分配给您想要的SP Get-AzureKeyVaultSecret。我们可以为一个 SP 分配多个角色。

注意

每个服务主体都需要Microsoft Authorization权限,否则此 SP 将无法登录 Azure。

通常情况下,Azure PowerShell 命令Get需要读取权限,New需要写入权限。setUpdate

希望这可以帮助:)

于 2017-12-20T03:16:15.887 回答