我正在尝试从 azure key Vault 获取 secret 。
所以我找到了下面的代码,但出现了错误。
AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE);
KeyVaultClient keyVaultClient = new KeyVaultClient(credentials);
String secret = keyVaultClient.getSecret("uri", "secretName").value();
我收到这样的错误:
Error >>> endpoint == null
我也尝试过这种方法:
AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE, "MSI Url????", "secret???");
KeyVaultClient keyVaultClient = new KeyVaultClient(credentials);
String secret = keyVaultClient.getSecret("keyVault Uri", "secret name").value();
log.debug("secret=========",secret);
我是 Azure 新手,现在找不到解决方案......
如何解决? 另外我如何找到 msi 端点和 secret ?
谢谢。
最佳答案
您正在使用managed identity 。您不需要提供任何端点或 secret 。
您唯一需要做的就是enable system identity in your web app 。
之后,您将获得服务主体的对象 ID。然后您可以在 key 保管库中为该服务主体分配访问策略。
最后,您可以在 Spring Boot 应用程序中访问 keystore 和 secret 。
<小时/>更新:
如果您无法创建托管标识,则可以使用 Azure AD 库获取访问 token 。然后使用该 token 访问 key 保管库。
这是一个代码示例:
public class KeyVaultTest {
// Add access policy to user, and access key vault as user
private static AuthenticationResult getAccessTokenAsUser(String authorization, String resource) throws InterruptedException, ExecutionException, MalformedURLException {
String clientId = "1950a258-227b-4e31-a9cf-717495945fc2";
String username = "your user id, <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0369626068436b626d7b6a622d6c6d6e6a60716c706c65772d606c6e" rel="noreferrer noopener nofollow">[email protected]</a>";
String password = "your password, ********";
AuthenticationResult result = null;
//Starts a service to fetch access token.
ExecutorService service = null;
try {
service = Executors.newFixedThreadPool(1);
AuthenticationContext context = new AuthenticationContext(authorization, false, service);
Future<AuthenticationResult> future = context.acquireToken(resource, clientId, username, password, null);
result = future.get();
} finally {
service.shutdown();
}
if (result == null) {
throw new RuntimeException("Authentication results were null.");
}
return result;
}
public static void main(String[] args) {
String vaultBase = "https://keyvault279.vault.azure.net/";
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultCredentials(){
@Override
public String doAuthenticate(String authorization, String resource, String scope) {
String token = null;
try {
AuthenticationResult authResult = getAccessTokenAsUser(authorization, resource);
token = authResult.getAccessToken();
} catch (Exception e) {
e.printStackTrace();
}
return token;
}
});
SecretBundle test = keyVaultClient.getSecret(vaultBase, "test");
System.out.println(test.value());
}
}
关于java - 从 Azure key 保管库获取 secret ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57764432/