如何从托管在本地计算机IIS上的Web应用程序访问Azure密钥库机密，并通过附加IIS工作进程进行调试? [英] How to access azure key vault secrets from web application hosted on local machine IIS and debugged by attaching IIS worker process?

问题描述

目标是从中读取所有秘密值从.net framework 4.6 Web应用程序托管在本地IIS上?该应用程序有点遗留，它可以 仅通过附加到辅助进程进行调试.我正在尝试通过使用以下代码来访问azure密钥库机密，以便可以避免在应用程序配置文件中存储密钥.

The objective is to read all the secret values from from .net framework 4.6 web application hosted on local IIS? The application is bit legacy and it can only be debugged by attaching to worker process. I am trying to access azure key vault secrets by using the below code, so that storage of keys can be avoided in the application configuration files.

aultPath = ConfigurationManager.AppSettings ["KeyVaultStorage"];
            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var keyVaultClient =新的KeyVaultClient(新的KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            var secrets = keyVaultClient.GetSecretsAsync(keyVaultPath).Result;
            _secretValues =新的ConcurrentDictionary< string，string>();
            foreach(秘密中的可变项)
            {
                var secret = keyVaultClient.GetSecretAsync($"{keyVaultPath}/secrets/{item.Identifier.Name}'").Result;

                _secretValues.TryAdd(item.Identifier.Name，secret.Value);
            }

aultPath = ConfigurationManager.AppSettings["KeyVaultStorage"];
            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            var secrets = keyVaultClient.GetSecretsAsync(keyVaultPath).Result;
            _secretValues = new ConcurrentDictionary<string, string>();
            foreach (var item in secrets)
            {
                var secret = keyVaultClient.GetSecretAsync($"{keyVaultPath}/secrets/{item.Identifier.Name}").Result;

                _secretValues.TryAdd(item.Identifier.Name, secret.Value);
            }

在运行此代码之前，请确保使用下面的命令

az登录
Az帐户集-订阅

az login 
az account set --subscription

相同的代码在.Net核心应用程序以及IIS Express上托管的.Net Framework 4.6 Web应用程序中都能很好地运行.托管在本地计算机IIS上时，它不会运行.

The same code runs well in .Net core application as well as in .Net framework 4.6 web application hosted on IIS Express. It does not run when hosted on local machine IIS.

从IIS工作进程运行代码时引发错误.

Error thrown running the code from IIS worker process.

推荐答案

我可以看到您正在使用AzureServiceTokenProvider对Azure Key Vault进行身份验证.  

I could see that you are using AzureServiceTokenProvider to authenticate with Azure Key Vault.  

The AzureServiceTokenProvider uses multiple methods to get an access token
1. Managed Service Identity (MSI) - Used for scenarios where the code is deployed to Azure and the Azure resource supports MSI.
2. Azure CLI (for local development) - AzureServiceTokenProvider uses this option to get an access token for local development.
3. Active Directory Integrated Authentication (for local development). To use integrated Windows authentication, your domain’s Active Directory must be federated with Azure Active Directory. Your application must be running on a domain-joined machine under a user’s domain credentials.

When you are trying to run the application on your local development machine the AzureServiceTokenProvider will use the developer's security context to get a token to authenticate to Key Vault. AzureServiceTokenProvider will use Azure CLI or Active Directory Integrated Authentication to authenticate to Azure AD to get a token. That token will be used to fetch the secret from Azure Key Vault.

这篇关于如何从托管在本地计算机IIS上的Web应用程序访问Azure密钥库机密，并通过附加IIS工作进程进行调试?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！