英文:
why can't I see keyvault secrets in portal, but can access them programmatically
问题
访问权限
这是服务主体密钥保管库的访问策略:
服务主体:
服务管理员/门户用户:
为什么我不能看到密码,尽管我可以通过编程方式访问?
访问策略
英文:
The access
This is the service principal keyvault access policy:
Why can't I see the secrets, although I can access them programmatically?
答案1
得分: 1
我假设你正在以编程方式使用SPN访问密钥保管库,并使用用户凭据从门户查看秘密?
从快照中我可以看到密钥保管库设置为访问策略授权模型。这意味着RBAC上的角色不会影响对密钥保管库内容的读取/写入。
你需要为用户或SPN分配一个访问策略以允许此操作。
我可以看到你的SPN有一个访问策略,这就是为什么你可以使用这个SPN以编程方式读取密钥保管库内容的原因。然而,用户只有一个服务管理员RBAC角色。但是由于访问策略不允许RBAC角色访问内容,你无法在门户上看到密钥保管库的内容。
密钥保管库有两种授权模型,RBAC和访问策略。你可以在这里了解更多信息。访问策略是旧模型,不允许对单个密钥/秘密进行细粒度访问。RBAC是2021年推出的新模型,允许你在单个实体级别设置角色,以隔离对每个密钥、秘密的访问。
英文:
I'm assuming you are using SPN to access the keyvault programmatically and using user credential to view the secrets from the portal?
From the snapshots, I can see that the keyvault is set to Access policy authorization model. This means the roles on RBAC will not affect the reading/writing of contents of the Keyvault.
You need to assign an access policy to the user or SPN to allow this.
I can see that there is an access policy for your SPN which is why you can read the keyvault contents programmatically using this SPN. However, the user only has a service administrator RBAC role. But since Access policies don't allow RBAC roles to access the contents, you cannot see the keyvault contents on the portal.
Keyvault has 2 authorization models, RBAC and Access policies. You can read more about them here. Access policy is the older model and doesn't allow granular access to a single key/secret. RBAC is the newer model launched in 2021 which allows you to set roles at the individual entity level to segregate access to each key, secret.
答案2
得分: 1
从你最后的截图中,我注意到你只为服务主体创建了访问策略,允许它以编程方式访问机密。
要解决你的问题,你需要创建一个新的访问策略,选择你的用户帐户在“Principal”选项卡下,如下所示:
确保为你的用户帐户分配“列出机密”权限,然后点击“创建”,如下所示:
创建访问策略后,用户帐户将显示在“USER”下面,如下所示:
当我使用该用户帐户登录时,我能够成功访问机密,如下所示:
或者,如果你更喜欢使用RBAC角色访问,你可以切换到Azure基于角色的访问控制权限模型,如下所示:
英文:
> From your last screenshot, I observed that you created access policy only for service principal that allows it to access secrets programmatically.
To fix your issue, you need to create new access policy by selecting your user account under Principal
tab like below:
Make sure to assign list secret permissions to your user account and click on Create
like below:
After creating access policy, the user account will appear under USER
like below:
When I signed in with that user account, I'm able to access secrets successfully like below:
Alternatively, you can switch permission model to Azure role-based access control if you prefer to accessing with RBAC roles like below:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论