我正在更新使用 .AddAzureKeyVault()
的 .NET 6 Blazor Server 应用程序从旧的 Microsoft.Extensions.Configuration.AzureKeyVault
添加 Azure KeyVault 配置提供程序的扩展方法转到推荐的Azure.Extensions.AspNetCore.Configuration.Secrets
使用新 SDK 的包。
我遇到的复杂情况是请求通过网络代理。我使用旧 SDK 的当前工作版本是这样的:
using Microsoft.Extensions.Configuration.AzureKeyVault; // 3.1.22
using Microsoft.Azure.Services.AppAuthentication; // 1.6.2
using Microsoft.Azure.KeyVault; // 3.0.5 (this needs to be version 3.0.0 or greater)
var builder = WebApplication.CreateBuilder(args);
var webProxy = new WebProxy(new Uri("{proxy_url}")) {
Credentials = CredentialCache.DefaultNetworkCredentials
};
var httpClient = new HttpClient(new HttpClientHandler {
Proxy = webProxy, SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls
});
var authenticationCallback = new KeyVaultClient.AuthenticationCallback(
new AzureServiceTokenProvider().KeyVaultTokenCallback);
var keyVaultClient = new KeyVaultClient(authenticationCallback, httpClient);
builder.Configuration
.AddAzureKeyVault("{keyvault_url}", keyVaultClient, new DefaultKeyVaultSecretManager());
var output = builder.Configuration
.GetSection("ApplicationInsights:InstrumentationKey").Value; // successfully retrieves value
使用新的 SDK,我尝试将代理传递到 HttpClientTransport
类,但收到“对代理‘{proxy_url}’的代理隧道请求失败,状态代码‘407’。”异常:
using Azure.Identity; // 1.5.0
using Azure.Security.KeyVault.Secrets; // 1.2.1
var builder = WebApplication.CreateBuilder(args);
var webProxy = new WebProxy(new Uri("{proxy_url}")) {
Credentials = CredentialCache.DefaultNetworkCredentials
};
var httpClient = new HttpClient(new HttpClientHandler {
Proxy = webProxy, SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls
});
var azureCredentialOpts = new DefaultAzureCredentialOptions {
Transport = new HttpClientTransport(httpClient)
};
var secretClient = new SecretClient(new Uri("{keyvault_url}"),
new DefaultAzureCredential(azureCredentialOpts));
builder.Configuration
.AddAzureKeyVault(secretClient, new AzureKeyVaultConfigurationOptions());
// throws request to proxy failed with status code '407'
var output = builder.Configuration
.GetSection("ApplicationInsights:InstrumentationKey").Value;
我可以在 Microsoft 文档中找到有关如何执行此操作的任何提及,以及我发现的使用旧 SDK 的任何示例。我确实在这里找到了这个相关问题 - Azure .NET v4 SDK Proxy Configuration in .NET Framework ,但建议的解决方案对我来说从来没有奏效。
唯一需要注意的是,在使用 Microsoft.Extensions.Configuration.AzureKeyVault
时,我确实在旧 SDK 中遇到了同样的“407”异常。包,我必须显式升级 Microsoft.Azure.KeyVault
打包到 3.0.0 以上的版本以使其正常工作,因此不确定这是否可能相关(新的 SDK 可能不支持网络代理的身份验证?...)
有人知道我如何使用 Azure.Extensions.AspNetCore.Configuration.Secrets
通过代理打包?
最佳答案
设法解决了我的问题,事实证明我在 DefaultAzureCredentialOptions
中设置代理,而我应该在 SecretClientOptions
中设置代理以与 SecretClient 一起使用
。我发现 Microsoft 的这份迁移指南有助于找出我出错的地方 - https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/keyvault/Azure.Security.KeyVault.Secrets/MigrationGuide.md
需要注意的一件事是我必须使用 Azure.Security.KeyVault.Secrets
包的测试版 v4.3.0-beta.4
,否则您必须明确指定租户 ID,从另一篇文章来看,这似乎是因为低于此版本的版本没有自动租户发现功能 - Visual Studio 2019 TokenService.exe has failed with unexpected error: TS003: Error, TS004: Unable to get access token .
我的代码的工作版本是这样的:
using Azure.Extensions.AspNetCore.Configuration.Secrets; // v1.2.1
using Azure.Identity; // v1.5.0
using Azure.Security.KeyVault.Secrets; // v4.3.0-beta.4
var builder = WebApplication.CreateBuilder(args);
var webProxy = new WebProxy(new Uri("{proxy_url}")) {
Credentials = CredentialCache.DefaultNetworkCredentials
};
var httpClient = new HttpClient(new HttpClientHandler {
Proxy = kpmgWebProxy, SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls
});
var secretClientOptions = new SecretClientOptions {
Transport = new HttpClientTransport(httpClient)
};
// `Azure.Security.KeyVault.Secrets` package version < 4.3.0 does not have the tenant discovery feature, therefore you will have to set this i nthe options.
/*var defaultAzureCredentialOptions = new DefaultAzureCredentialOptions()
{
VisualStudioTenantId = "",
};*/
var secretClient = new SecretClient(
new Uri(azureKeyVaultUrl),
new DefaultAzureCredential(/*defaultAzureCredentialOptions*/),
secretClientOptions);
builder.Configuration
.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
var output = builder.Configuration
.GetSection("ApplicationInsights:InstrumentationKey").Value;
关于c# - 通过网络代理使用 Azure KeyVault 配置提供程序会引发 HTTP 407 异常,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/71077395/