AKS에서 Teleport Application Access로 Azure CLI 보호하기
You can use Teleport to manage access to CLI tools that interact with Azure's APIs. The Teleport Application Service installed in an AKS pod uses Microsoft Entra Workload ID to obtain authentication tokens from Azure.
You can use Teleport to manage access to CLI tools that interact with Azure's APIs. This lets you control access to your infrastructure's management APIs using the same RBAC system that you use to protect your infrastructure itself.
이 가이드에서 다음을 수행합니다:
- Application Service를 위한 Azure 관리 ID를 생성하고 Kubernetes 서비스 계정의 기본 Workload ID로 설정합니다.
- 사용자 접근을 위한 Azure 관리 ID를 생성하고 동일한 Kubernetes 서비스 계정에 연결합니다.
- Teleport 클러스터에 Azure 앱과 함께 Teleport Application Service를 배포합니다.
- 관리 ID를 수임하고
tsh를 통해az명령을 실행합니다.
작동 방식#
The Teleport Application Service installed in an AKS pod uses Microsoft Entra Workload ID to obtain authentication tokens from Azure. When a user authenticates to Teleport, they can assume one of the respective user-assigned managed identities to execute Azure CLI commands.
You can configure which Teleport users or roles have access to specific Azure identities, giving you control over who can obtain credentials for different levels of access to Azure CLIs.
The Teleport Application Service connects to the Teleport Proxy Service over a reverse tunnel, so you can run the Application Service in a private network and prevent unauthorized access to your organization's Azure identities.
사전 요구 사항#
-
A running Teleport (v15.2.4 or higher) cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctlandtshclients.Installing `tctl` and `tsh` clients
-
Determine the version of your Teleport cluster. The
tctlandtshclients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at/v1/webapi/findand use a JSON query tool to obtain your cluster version. Replace with the web address of your Teleport Proxy Service:$ TELEPORT_DOMAIN= $ TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" -
Follow the instructions for your platform to install
tctlandtshclients:
-
- Azure Kubernetes Service(AKS) 클러스터 및 클러스터 관리 권한.
- 사용자 할당 Azure 관리 ID, 역할 정책 및 페더레이션 ID 자격 증명을 관리하는 기능.
- 워크스테이션에 설치된
azCLI 도구. Azure 관리자 계정으로 로그인하여 AKS 클러스터를 구성하고 관리 ID를 생성해야 합니다. Teleport의tsh클라이언트도az바이너리를 사용하여 명령을 실행합니다. 운영 체제에azCLI를 설치하는 방법은 Azure 문서를 참조하십시오. - AKS 배포를 위한
kubectl및helm.
To check that you can connect to your Teleport cluster, sign in with tsh login, then
verify that you can run tctl commands using your current credentials.
For example, run the following command, assigning to the domain name of the Teleport Proxy Service in your cluster and to your Teleport username:
$ tsh login --proxy= --user=
$ tctl status
# Cluster (=teleport.url=)
# Version (=teleport.version=)
# CA pin (=presets.ca_pin=)
If you can connect to the cluster and run the tctl status command, you can use your
current credentials to run subsequent tctl commands from your workstation.
If you host your own Teleport cluster, you can also run tctl commands on the computer that
hosts the Teleport Auth Service for full permissions.
1/6단계. Teleport Application Service를 위한 Azure 관리 ID 생성#
Teleport Application Service는 사용자 접근을 위한 관리 ID의 클라이언트 ID를 검색할 수 있는 관리 ID가 필요합니다. 이 관리 ID는 Kubernetes 서비스 계정의 기본 ID로 할당됩니다.
아직 하지 않은 경우 az login 명령으로 Azure 관리자 계정에 로그인하고 이후 단계를 위한 환경 변수를 준비합니다.
Dynamic identities#
If you are using the dynamic approach, the approach you choose depends on whether your Teleport user is a local user or an SSO user:
Static identities#
If you are using static identities, define a role with access to specific Azure identities, which means that Teleport users who assume this role can use those (and only those) identities to execute commands via an Azure CLI.
Create a file called azure-cli-access.yaml with the following content:
kind: role
version: v5
metadata:
name: azure-cli-access
spec:
allow:
app_labels:
'*': '*'
azure_identities:
- /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/teleport-azure
Edit the identity URI in the azure_identities field to match the one you
copied in Step 1.
This role grants a user access to any Teleport-registered application, such as
the azure-cli application we defined earlier, and allows that user to assume
the teleport-azure identity you created earlier.
Create the role:
$ tctl create -f azure-cli-access.yaml
(!docs/pages/includes/create-role-using-web.mdx!)
Denying access to Azure identities
You can define a Teleport role that denies a user access to one or more Azure
identities. To do so, assign values to the azure_identities field within the
spec.deny section of a role resource.
For example, this role denies the user access to all Azure identities:
kind: role
version: v5
metadata:
name: "no-azure-identities"
spec:
allow:
app_labels:
'*': '*'
deny:
azure_identities:
- '*'
The no-azure-identities role enables the user to access all registered
applications, but makes use of the wildcard character (*) within the
deny.azure_identities field to prevent the user from assuming any Azure
identity.
Unlike values of allow.azure_identities, values of deny.azure_identities can
include wildcard expressions in addition to the URIs of specific Azure
identities.
The Teleport Auth Service gives deny rules precedence over allow rules when
evaluating a user's roles.
(!docs/pages/includes/add-role-to-user.mdx role="azure-cli-access"!)
5/6단계. Teleport Application Service 배포#
이 단계에서는 AKS 클러스터에서 Teleport Application Service를 시작합니다.
조인 토큰 가져오기#
조인 토큰을 생성하여 Teleport 클러스터와 새 Application Service 인스턴스 간의 신뢰를 설정합니다:
$ tctl tokens add --type=app --ttl=1h --format=text
(=presets.tokens.first=)
Teleport Application Service 시작#
values.yaml Helm 값 파일을 생성하고, 을 위에서 검색한 조인 토큰 값으로,
을 Teleport Proxy Service의 호스트 및 포트(예: teleport.example.com:443)로 지정합니다:
$ cat > azure_access_agent.values.yaml <
Use Azure CLI applications without tsh#
In addition to running az commands via tsh, you can grant secure access to
any CLI application that executes commands against Azure's APIs.
To do this, use tsh to start a local proxy that forwards traffic from your CLI
application to the Teleport Application Service. The Application Service uses an
Azure managed identity to fetch an authentication token from Azure, which your
CLI application uses to authenticate requests to Azure's APIs.
To start the local proxy, run the following tsh command:
$ tsh proxy azure
The command will print the address of the local proxy server along with export
commands for assigning environment variables. Azure CLI applications read these
variables in order to request an authentication token for Azure's APIs:
(!docs/pages/includes/application-access/azure-tsh-proxy-azure-sample.mdx!)
Copy the export commands and paste them into a second terminal. In that
terminal, you can now run your Azure CLI application of choice. For example, you
can run the following command to list Azure VMs:
$ az vm list
Since the az CLI requests an authentication token using the teleport-azure
identity you created earlier, and that identity is authorized to view resources
in your resource group, the az vm list command will only list VMs in that
resource group.
다음 단계#
- Microsoft의 AKS에서 Workload ID 구성 가이드를 참조하십시오.
- 이제 Teleport를 사용하여 Azure CLI 접근을 보호하는 방법을 알았으니, Teleport 사용자가 공격자가 탈취할 수 있는 장기적인 관리자 역할 없이 일시적으로만 Azure 리소스를 관리할 수 있도록 하십시오. 역할 접근 요청 및 접근 요청 플러그인 문서를 참조하십시오.
- Azure 관리 ID 및 사용자 할당 관리 ID 관리 방법에 대한 Azure 문서를 참조하십시오.
az CLI 명령의 전체 목록은 Azure 문서를 참조하십시오.- 이 가이드의 Teleport 역할에서 설명한
internal 및 external 특성이 Teleport에 의해 채워지는 방법에 대한 자세한 내용은 접근 제어 참조를 참조하십시오.