我正在查看服务主体的文档,并遇到这些短语
It's important to remove old service principals for the same reason that you delete old user accounts: attackers might gain access to their keys. It's best not to have credentials that aren't actively used.
You might wonder why you need to create this whole new type of object just to authenticate a pipeline, when you have user accounts that work perfectly well. User accounts aren't designed for unattended use. The authentication process for a user account often checks that a human is the entity that's trying to sign in. Increasingly, organizations use additional security checks during authentication. These checks include MFA, CAPTCHA checks, and inspecting the device and network that the user is using so that they can verify the legitimacy of a request to sign in.
It's also a bad idea to save your username and password anywhere, because someone else might get access to them and then use them to impersonate you.
在“两种”理论中,保留/共享服务主体(又名密码)似乎不是一个好主意。这是密码不是为无人值守使用而设计的唯一原因吗?我们应该使用根据具体情况提供安全措施的服务主体吗?
最佳答案
根据 Official Microsoft Documentation ,
When you have applications, hosted services, or automated tools that needs to access or modify resources, you can create an identity for the app. This identity is known as a service principal. Access to resources is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.
用户帐户和密码不适合无人值守使用。服务主体可用于基于基于角色的访问控制(RBAC)授予对资源的访问权限。
服务主体对象的确切作用是设置有关特定应用程序及其资源访问的信息。
如果您想避免管理凭据,可以使用 Managed Identity .
引用:
关于azure - 服务主体暴露密码有什么好处,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/72431041/