问题描述

我用Powershell编写了一个程序，该程序按计划在Azure Functions应用程序中运行.为避免使用硬编码的凭据，我创建了一个Azure密钥保管库来存储机密.我在Azure函数中创建了一个托管身份，在Azure Key Vault中创建了机密，然后在URL指向Azure Azure Vault中的机密的Azure函数中创建了应用程序设置.该程序引用了应用程序的机密(APPSETTING)并按预期方式运行:

I wrote a program in Powershell which runs on a schedule in an Azure Functions app. To avoid hard-coded credentials, I created an Azure Key Vault to store the secrets. I created a managed identity in the Azure Function, created the secrets in Azure Key Vault and then created application settings in Azure Function with the URL to point at the secrets in Azure Key Vault. The program references the application secrets (APPSETTING) and behaves as expected:

    $uSecret = $ENV:APPSETTING_SecretUsername
    $pSecret = $ENV:APPSETTING_SecretPassword
    $sasSecret = $ENV:APPSETTING_SecretSAS
    $securePassword = ConvertTo-SecureString -String $pSecret -AsPlainText -Force
    $UserCredential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $uSecret, $securePassword

    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

但是我注意到，如果我通过Windows Powershell(以管理员身份运行)在本地计算机上运行相同的程序，并且上述行进行了如下修改，则该程序可以正常运行-意味着它可以访问Office 365和数据湖存储:

However I noticed that if I run the same program on my local computer via Windows Powershell (run as Administrator) and with the above lines amended as follows, the program runs fine - meaning it can access Office 365 and the data lake storage:

    $uSecret = (Get-AzKeyVaultSecret -VaultName 'auditkeyvault' -Name 'SecretUsername').SecretValueText
    $pSecret = (Get-AzKeyVaultSecret -VaultName 'auditkeyvault' -Name 'SecretPassword').SecretValueText
    $sasSecret = (Get-AzKeyVaultSecret -VaultName 'auditkeyvault' -Name 'SecretSAS').SecretValueText
    $securePassword = ConvertTo-SecureString -String $pSecret -AsPlainText -Force
    $UserCredential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $uSecret, $securePassword

    $session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

为什么我可以在计算机上本地运行它?我本来希望只有Azure Functions应用程序能够从Azure Key Vault检索机密，并且会阻止其他任何资源(例如本地计算机)?

Why am I able to run this locally on my computer? I would have expected only the Azure Functions app to be able to retrieve the secrets from Azure Key Vault and that any other resource such as my local computer would be prevented?

这不是为具有特定URL的Azure功能创建托管身份的全部目的，以便它可以将自身标识为访问密钥的经过身份验证/授权的资源吗?但是，当我使用(Get-AzKeyVaultSecret -VaultName 'auditkeyvault' -Name 'SecretUsername').SecretValueText在本地上方运行该程序时，我的程序仍然能够检索密钥并运行！

Isn't the whole purpose of creating a managed identity for the Azure Function with the specific URL, so that it could identify itself as the authenticated/authorised resource to access the keys? Yet when I run the program locally above with (Get-AzKeyVaultSecret -VaultName 'auditkeyvault' -Name 'SecretUsername').SecretValueText, my program is still able to retrieve the keys and run!

有人可以说明为什么会发生这种情况吗，或者如果我误解了什么?

Can someone please shed some light on why this is happening or if I have misunderstood something?

非常感谢！

(PS.所有这些都在带有示例数据的试验实例上运行，因此目前没有破坏任何真实数据)

(PS. This is all running on a trial instance with sample data, so no real data is compromised at the moment)

推荐答案

密钥库的目的是安全地保护您的秘密.

The purpose of the keyvault is keep your secrets securely.

任何授权的凭据(通过Keyvault访问策略)都可以通过REST API访问这些机密.

Any authorized credentials (through the Keyvault access policies) can access those secrets through the REST api.

要访问机密，您需要:

• 密钥库中的访问策略，可让您有足够的访问权限
• 要通过授权帐户进行身份验证

Get-AzKeyVaultSecret只是检索秘密的另一种方法.

Get-AzKeyVaultSecret is just another way to retrieve secret.

它可以在您的计算机上使用，因为您的会话仍在进行身份验证，并且您的AzureAd帐户具有对该密钥库机密的读取权限.

It work on your computer because your session is still authenticated and your AzureAd account have read access to that keyvault secret.

您可以有效地使用任何Az命令，而无需每次都重新进行身份验证.调用Get-AzContext获取当前上下文详细信息.

You can effectively use any Az command without re-authenticating everytime.Call Get-AzContext to get the current context details.

Connect-AzAccount在以下位置自动使用时会保存您的访问令牌和其他相关信息:C:\Users\MAK\.Azure\AzureRmContext.json

Connect-AzAccount do save your access tokens and other relevant informations when used automatically at the following location: C:\Users\MAK\.Azure\AzureRmContext.json

如果您要先断开连接Disconnect-AzAccount并尝试在不重新进行身份验证的情况下再次获取机密，那么它将失败.

If you were to disconnect first Disconnect-AzAccount and trying to get the secret again without re-authenticating, then it would fail.

注意如果您不满意Az模块将令牌存储在磁盘上的情况，则可以通过Disable-AzContextAutosave

NoteIf you are not comfortable with the Az module saving your tokens on disk, you can disable the default behavior through Disable-AzContextAutosave

这篇关于安全地访问Key Vault机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！