java - 从 Azure key 保管库获取 secret

Question

我正在尝试从 azure key Vault 获取 secret 。

所以我找到了下面的代码，但出现了错误。

AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE);

KeyVaultClient keyVaultClient = new KeyVaultClient(credentials);

String secret =  keyVaultClient.getSecret("uri", "secretName").value(); 

我收到这样的错误:

Error >>> endpoint == null

我也尝试过这种方法:

AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE, "MSI Url????", "secret???");
KeyVaultClient keyVaultClient = new KeyVaultClient(credentials);

String secret =  keyVaultClient.getSecret("keyVault Uri", "secret name").value(); 

log.debug("secret=========",secret);

我是 Azure 新手，现在找不到解决方案......

如何解决？ 另外我如何找到 msi 端点和 secret ？

谢谢。

Answer 1

您正在使用managed identity 。您不需要提供任何端点或 secret 。

您唯一需要做的就是enable system identity in your web app 。

之后，您将获得服务主体的对象 ID。然后您可以在 key 保管库中为该服务主体分配访问策略。

最后，您可以在 Spring Boot 应用程序中访问 keystore 和 secret 。

<小时/>

更新:

如果您无法创建托管标识，则可以使用 Azure AD 库获取访问 token 。然后使用该 token 访问 key 保管库。

这是一个代码示例:

public class KeyVaultTest {

    // Add access policy to user, and access key vault as user
    private static AuthenticationResult getAccessTokenAsUser(String authorization, String resource) throws InterruptedException, ExecutionException, MalformedURLException {

        String clientId = "1950a258-227b-4e31-a9cf-717495945fc2";
        String username = "your user id, <a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0369626068436b626d7b6a622d6c6d6e6a60716c706c65772d606c6e" rel="noreferrer noopener nofollow">[email protected]</a>";
        String password = "your password,  ********";
        AuthenticationResult result = null;

        //Starts a service to fetch access token.
        ExecutorService service = null;
        try {
            service = Executors.newFixedThreadPool(1);
            AuthenticationContext context = new AuthenticationContext(authorization, false, service);
            Future<AuthenticationResult> future = context.acquireToken(resource, clientId, username, password, null);
            result = future.get();
        } finally {
            service.shutdown();
        }

        if (result == null) {
            throw new RuntimeException("Authentication results were null.");
        }

        return result;
    }

    public static void main(String[] args) {
        String vaultBase = "https://keyvault279.vault.azure.net/";

        KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultCredentials(){
            @Override
            public String doAuthenticate(String authorization, String resource, String scope) {
                String token = null;
                try {
                    AuthenticationResult authResult = getAccessTokenAsUser(authorization, resource);
                    token = authResult.getAccessToken();
                } catch (Exception e) {
                    e.printStackTrace();
                }
                return token;
            }
        });

        SecretBundle test = keyVaultClient.getSecret(vaultBase, "test");
        System.out.println(test.value());
    }
}