由于我是Azure新手,所以这个问题可能很愚蠢。我正在尝试建立一项服务来配置和管理VM集群。出于安全考虑,我不想在每个群集上放置一些敏感数据。因此,我决定为每个群集提供一个Azure密钥保管库以存储这些数据,并创建一个MSI(托管身份)并分派给群集的每个节点,以便vm可以访问密钥保管库以获取机密。
在服务端,我需要配置虚拟机,密钥库和MSI。将MSI分配给每个VM,同时授予MSI正确的角色以访问AKV。这是我的问题:
1。系统分配的身份和用户分配的受管身份之间有什么区别?
根据我的研究,直接在Azure服务实例上启用了系统分配的托管身份。系统分配的身份的生命周期直接与启用该身份的Azure服务实例相关。如果实例被删除,Azure会自动清除Azure AD中的凭据和身份。
但是,将用户分配的托管身份创建为独立的Azure资源。创建身份后,可以将身份分配给一个或多个Azure服务实例。用户分配的身份的生命周期与为其分配到的Azure服务实例的生命周期是分开管理的。
有关更多详细信息,请参见document。
2。如何设置MSI,Azure密钥保管库和授予访问权限
根据我的研究,如果要提供用户分配的托管身份,可以使用Azure REST API,Azure Powershell和Azure CLI
例如
Azure CLI
az login
az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
Azure REST API一种。使用Azure CLI获取访问令牌
az login
az account get-access-token
b。调用其余的api
curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroup
s/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>?api-version=2015-08-31-preview' -X PUT -d '{"loc
ation": "<LOCATION>"}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"
[根据我的研究,如果要实现它,我们可以提供用户分配的托管身份,可以使用Azure REST API,Azure Powershell,Azure CLI和sdk(例如.net )。有关更多详细信息,请参阅document
例如
Azure Rest API
a。使用Azure CLI获取访问令牌
az login
az account get-access-token
b。调用其余的api
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}?api-version=2018-02-14
Header :
Content-Type: application/json
Authorization: Bearer <ACCESS TOKEN>
Body
{
"location": "westus",
"properties": {
"tenantId": "<your tenant id>",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "<your tenant id>",
"objectId": "<the object id of the MSI>",
"permissions": {
"keys": [
"encrypt",
"decrypt",
"wrapKey",
"unwrapKey",
"sign",
"verify",
"get",
"list",
"create",
"update",
"import",
"delete",
"backup",
"restore",
"recover",
"purge"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover",
"purge"
],
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover",
"purge"
]
}
}
],
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true
}
}
。Net SDK
a。 create a service principal with Azure CLI
az login
az ad sp create-for-rbac -n "MyApp" --role contributor --sdk-auth
b。码。有关更多详细信息,请参阅sample
// please install package Microsoft.Azure.Management.Fluent
var credentials = SdkContext.AzureCredentialsFactory
.FromServicePrincipal(<the sp app id>,
<the sp password>,
tenantId,
AzureEnvironment.AzureGlobalCloud);
var azure = Microsoft.Azure.Management.Fluent.Azure
.Configure()
.Authenticate(credentials)
.WithSubscription ("<your subscription id>");
var vault =await azure.Vaults.Define("")
.WithRegion(Region.AsiaSouthEast)
.WithExistingResourceGroup("groupname")
.DefineAccessPolicy()
.ForObjectId("the object id of msi")
.AllowCertificateAllPermissions()
.AllowKeyAllPermissions()
.AllowSecretAllPermissions()
.Attach()
.WithDeploymentEnabled()
.WithDiskEncryptionEnabled()
.WithTemplateDeploymentEnabled()
.WithSku(Microsoft.Azure.Management.KeyVault.Fluent.Models.SkuName.Standard)
.CreateAsync()