为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

huangapple go评论61阅读模式
英文:

why can't I see keyvault secrets in portal, but can access them programmatically

问题

访问权限

这是服务主体密钥保管库的访问策略:
为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

服务主体:
为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

服务管理员/门户用户:
为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

为什么我不能看到密码,尽管我可以通过编程方式访问?

为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

访问策略
为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们
为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

英文:

The access

This is the service principal keyvault access policy:
为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

Service Principal:
为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

Service admin / Portal user:
为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

Why can't I see the secrets, although I can access them programmatically?

为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

The access policy
为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们
为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

答案1

得分: 1

我假设你正在以编程方式使用SPN访问密钥保管库,并使用用户凭据从门户查看秘密?

从快照中我可以看到密钥保管库设置为访问策略授权模型。这意味着RBAC上的角色不会影响对密钥保管库内容的读取/写入。
你需要为用户或SPN分配一个访问策略以允许此操作。

我可以看到你的SPN有一个访问策略,这就是为什么你可以使用这个SPN以编程方式读取密钥保管库内容的原因。然而,用户只有一个服务管理员RBAC角色。但是由于访问策略不允许RBAC角色访问内容,你无法在门户上看到密钥保管库的内容。

密钥保管库有两种授权模型,RBAC和访问策略。你可以在这里了解更多信息。访问策略是旧模型,不允许对单个密钥/秘密进行细粒度访问。RBAC是2021年推出的新模型,允许你在单个实体级别设置角色,以隔离对每个密钥、秘密的访问。

英文:

I'm assuming you are using SPN to access the keyvault programmatically and using user credential to view the secrets from the portal?

From the snapshots, I can see that the keyvault is set to Access policy authorization model. This means the roles on RBAC will not affect the reading/writing of contents of the Keyvault.
You need to assign an access policy to the user or SPN to allow this.

I can see that there is an access policy for your SPN which is why you can read the keyvault contents programmatically using this SPN. However, the user only has a service administrator RBAC role. But since Access policies don't allow RBAC roles to access the contents, you cannot see the keyvault contents on the portal.

Keyvault has 2 authorization models, RBAC and Access policies. You can read more about them here. Access policy is the older model and doesn't allow granular access to a single key/secret. RBAC is the newer model launched in 2021 which allows you to set roles at the individual entity level to segregate access to each key, secret.

答案2

得分: 1

从你最后的截图中,我注意到你只为服务主体创建了访问策略,允许它以编程方式访问机密。

要解决你的问题,你需要创建一个新的访问策略,选择你的用户帐户在“Principal”选项卡下,如下所示:

确保为你的用户帐户分配“列出机密”权限,然后点击“创建”,如下所示:

创建访问策略后,用户帐户将显示在“USER”下面,如下所示:

当我使用该用户帐户登录时,我能够成功访问机密,如下所示:

或者,如果你更喜欢使用RBAC角色访问,你可以切换到Azure基于角色的访问控制权限模型,如下所示:

英文:

> From your last screenshot, I observed that you created access policy only for service principal that allows it to access secrets programmatically.

To fix your issue, you need to create new access policy by selecting your user account under Principal tab like below:

为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

Make sure to assign list secret permissions to your user account and click on Create like below:

为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

After creating access policy, the user account will appear under USER like below:

为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

When I signed in with that user account, I'm able to access secrets successfully like below:

为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

Alternatively, you can switch permission model to Azure role-based access control if you prefer to accessing with RBAC roles like below:

为什么我在门户中看不到密钥保管库的秘密,但可以通过编程访问它们

huangapple
  • 本文由 发表于 2023年5月25日 02:39:49
  • 转载请务必保留本文链接:https://go.coder-hub.com/76326520.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定