问题描述

您好，

   是否可以授予用户指定标识的密钥保管库权限？

   Is it possible to give access to a key vault to a user assigned identity?

 在天蓝门户的托管身份中，我创建了一个新的身份"KeyVaultIdentity"，我将其分配给了一个Web应用程序（在身份，用户分配的身份标签中） ）。在密钥保管库的访问策略中，我添加了新创建的"KeyVaultIdentity"。
身份并提供访问密码的权限。 

 In Managed Identities from the azure portal I created a new Identity "KeyVaultIdentity", which I assigned it to a web application (in Identity, user assigned identities tab). In access policies from key vault I added the new created "KeyVaultIdentity" identity and offered permissions to access the secrets. 

我使用以下代码访问密钥保险库： 

I am using the following code to access the key vault: 

try
            {
                /* The below 4 lines of code shows you how to use AppAuthentication library to fetch secrets from your Key Vault*/
                AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
                KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
                var secret = await keyVaultClient.GetSecretAsync("https://play9VaultDemo.vault.azure.net/secrets/AppSecret")
                    .ConfigureAwait(false);
                Message = secret.Value;

                /* The below do while logic is to handle throttling errors thrown by Azure Key Vault. It shows how to do exponential backoff which is the recommended client side throttling*/
                do
                {
                    long waitTime = Math.Min(getWaitTime(retries), 2000000);
                    secret = await keyVaultClient.GetSecretAsync("https://play9VaultDemo.vault.azure.net/secrets/AppSecret")
                        .ConfigureAwait(false);
                    retry = false;
                }
                while (retry && (retries++ < 10));
            }
            /// <exception cref="KeyVaultErrorException">
            /// Thrown when the operation returned an invalid status code
            /// </exception>
            catch (KeyVaultErrorException keyVaultException)
            {
                Message = keyVaultException.Message;
                if ((int)keyVaultException.Response.StatusCode == 429)
                    retry = true;
            }

但是当我尝试访问这个秘密时，它禁止访问。但是，如果在密钥保管库中我可以访问Web应用程序的系统分配标识，我可以访问该密码，

But it says that access is forbidden when I try to access the secret. However if in Key Vault I give access to the System Assigned Identity of the Web application, I can access the secret,

您是否知道如何使用分配的用户进行此操作身份？

Do you have any idea how can I make this work with the user assigned identity?

推荐答案

这篇关于如何将密钥保管库的访问权限授予用户指定的标识？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！