我构建了服务结构应用程序,我想在 Azure Key Vault 中保护 secret ,我实现了与应用服务相同的步骤,但它不起作用,感谢您的重播。
对于应用服务: 1.在Main方法上配置Key Vault 2. 在应用服务上启用分配的托管标识,应用于 SF 的规模集。 3. 在 keystore 上添加访问策略。
最佳答案
1) Azure 配置(VM 规模集 + Key vault):
Login-AzureRmAccount # Login into Azure account
$targetRg = "testfabric-rg" # Target resource group name
$targetVmss = "jxewcyinq" # Target virtual machine scale set name
$targetKeyVault = "az-ure-two20190115153549" # Target Key Vault name
# 1. Enable Managed Identity for target Virtual Machine Scale Set
Update-AzureRmVmss `
-ResourceGroupName $targetRg `
-VMScaleSetName $targetVmss `
-IdentityType SystemAssigned
# 2. Retrieve virtual machine scale set
$vmss = Get-AzureRmVmss `
-ResourceGroupName $targetRg `
-Name $targetVmss
# 3. Create new Key vault access policy allowing Virtual Machine Scale Set to read secrets by their IDs
Set-AzureRmKeyVaultAccessPolicy `
-VaultName $targetKeyVault `
-ObjectId $vmss.Identity.PrincipalId `
-PermissionsToSecrets Get # set only necessary permissions!
2) 使用 C# 时获取 key 保管库 secret :
// https://www.nuget.org/packages/Microsoft.Azure.KeyVault/
using Microsoft.Azure.KeyVault;
// https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication
using Microsoft.Azure.Services.AppAuthentication;
public async Task<string> GetSecretById(string id)
{
// URL of the target Key Vault
var keyVaultUrl = "https://az-ure-two20190115153549.vault.azure.net";
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync($"{keyVaultUrl}/secrets/{id}");
return secret.Value;
}
关于service - 从 Service Fabric 访问 Azure Key Vault 上的 secret ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57737397/