如何查找Azure Service Principal需要的操作/权限

时间:2017-12-19 20:56:10

标签: azure azure-active-directory azure-powershell azure-automation azure-rbac

我试图以最低权限锁定我的Azure服务主体。这可以通过creating custom roles来完成。但在定义自定义角色时,我如何知道给定任务需要哪些操作?例如,如果自动化帐户需要在PowerShell脚本(Get-AzureKeyVaultSecretNew-AzureRmContainerGroupGet-AzureRmContext等)中运行多个 AzureRm cmdlet,我该如何操作找出哪些"行动"每个命令都执行?

Get-AzureRMProviderOperation *列出了所有可用的动作(当前呈现的是2969的列表 - 一个稍微过分的数字来进行排序)。我如何确定我需要哪些?

1 个答案:

答案 0 :(得分:2)

例如,如果要使用Azure自动化帐户运行Runbook命令
 Get-AzureKeyVaultSecret,我们应该给予SP权限,如:

Microsoft Authorizationenter image description here Microsoft AutomationMicrosoft.Automation/automationAccounts/runbooks/read

Microsoft.KeyVault需要这些权限:

Microsoft.KeyVault/vaults/read 
Microsoft.KeyVault/vaults/secrets/read
Microsoft.KeyVault/vaults/accessPolicies/write

通常,我们可以为每个提供商设置角色。例如,Microsoft.KeyVault,我们希望SP可以更新密钥保管库或读取密码,我们可以添加Microsoft.KeyVault/vaults/writeMicrosoft.KeyVault/vaults/secrets/read以及Microsoft.KeyVault/vaults/read

PS C:\Users\jason> Get-AzureRmProviderOperation * | ?{ $_.ProviderNamespace -eq 'Microsoft Key Vault' } | select Operation, OperationName

Operation                                               OperationName
---------                                               -------------
Microsoft.KeyVault/register/action                      Register Subscription
Microsoft.KeyVault/unregister/action                    Unregister Subscription
Microsoft.KeyVault/hsmPools/read                        View HSM pool
Microsoft.KeyVault/hsmPools/write                       Create or Update HSM pool
Microsoft.KeyVault/hsmPools/delete                      Delete HSM pool
Microsoft.KeyVault/hsmPools/joinVault/action            Join KeyVault to HSM pool
Microsoft.KeyVault/checkNameAvailability/read           Check Name Availability
Microsoft.KeyVault/vaults/read                          View Key Vault
Microsoft.KeyVault/vaults/write                         Update Key Vault
Microsoft.KeyVault/vaults/delete                        Delete Key Vault
Microsoft.KeyVault/vaults/deploy/action                 Use Vault for Azure Deployments
Microsoft.KeyVault/vaults/secrets/read                  View Secret Properties
Microsoft.KeyVault/vaults/secrets/write                 Update Secret
Microsoft.KeyVault/vaults/accessPolicies/write          Update Access Policy
Microsoft.KeyVault/operations/read                      Available Key Vault Operations
Microsoft.KeyVault/deletedVaults/read                   View Soft Deleted Vaults
Microsoft.KeyVault/locations/operationResults/read      Check Operation Result
Microsoft.KeyVault/locations/deletedVaults/read         View Soft Deleted Key Vault
Microsoft.KeyVault/locations/deletedVaults/purge/action Purge Soft Deleted Key Vault

完成后,我们可以将此角色分配给您希望Get-AzureKeyVaultSecret的SP。我们可以为一个SP分配许多角色。

注意

每个服务主体都需要Microsoft Authorization权限,否则此SP将无法登录Azure。

通常,Azure PowerShell命令Get需要读取权限,NewsetUpdate需要写入权限。

希望这会有所帮助:)

相关问题
最新问题