保护Azure云服务配置中的敏感信息 [英] Securing sensitive information in Azure Cloud Service Configuration

问题描述

我们正在使用云服务配置以存储应用设置.但是我们想保护一些应用程序设置，例如用户凭据，数据库连接字符串等.推荐的设置方法是什么?

We are using Cloud Service configuration to store app settings. But we would like to secure few appsettings like User Credentials,database connection string etc. What is the recommended way to do that?

我们正在从网络角色和辅助角色中读取此配置.因此，不能使用 aspnet_regiis 实用程序因为该角色在工作角色中不可用，因为未以工作角色安装iis.

We are reading this configuration from both web and worker role. Hence using aspnet_regiis utility is not an option as this is not available in worker role since iis is not installed in worker role.

我们也考虑过使用Key Vault，但是最终会遇到保护Key Vault密钥的情况.

We also considered using Key vault, but we end up in the same situation of securing the key vault key.

不幸的是，Azure云服务不支持

Unfortunately, Azure cloud service does not support managed service indentities

推荐答案

我们也考虑过使用Key Vault，但最终还是一样 密钥库密钥的保护情况.

We also considered using Key vault, but we end up in the same situation of securing the key vault key.

问题陈述

即使您可以将所有敏感信息移至Azure Key Vault，但是要访问Azure Key Vault，您需要clientID和client密钥(以建立云服务和Key Vault的身份以了解谁在访问它).

Even though you can move out all sensitive information to Azure Key Vault, but to access the Azure Key Vault you need clientID and client Secret key (to establish the identity of your cloud service and Key Vault to know that who is accessing it).

这意味着您的应用程序的客户端密钥将位于云服务配置中，这几乎等同于首先位于云服务配置中的所有敏感信息:).

This means your application's client secret key will be sitting in cloud service configuration, which is almost equivalent to all sensitive information sitting in cloud service configuration in the first place :).

解决方案

受管服务身份将成为访问Azure Key Vault并避免在云服务配置中保留客户端密钥的一种方式.

Managed Service Identity would have been the way to go to access Azure Key Vault and avoid keeping client Secret key in cloud service configuration.

如果没有传统云服务的托管服务身份，则可以使用用于应用程序身份验证的证书凭据，可帮助建立应用程序身份并访问密钥库以读取密钥，机密等.

In absence of managed service identities for classic cloud services, you can use Certificate Credentials for application authentication to help establish application identity and get access to key vault for reading keys, secrets etc.

详细信息和示例代码

1. 您注册了一个Azure AD应用程序来代表您的云服务.
2. 在Key Vault的访问策略中授予对此Azure AD应用程序的适当访问权限(获取密钥/秘密等的能力).
3. 现在，您可以按照用于应用程序身份验证的凭据凭据，以将证书凭据与Azure AD中的客户端应用程序相关联.
4. 通过将该证书包含在服务定义文件(CSDEF)中，确保将该证书与您的所有云服务实例一起部署
5. 使用应用程序的客户端ID和此证书来获取令牌，并开始从Azure Key Vault中读取敏感信息.

1. You register an Azure AD application to represent your cloud service.
2. Give appropriate access (ability to get keys/secrets etc.) to this Azure AD application in Key Vault's access policies.
3. Now instead of generating a regular client secret, you follow the steps in Certificate credentials for application authentication, to associate the certificate credential with the client application in Azure AD.
4. Ensure that this certificate gets deployed with all your cloud service instances by including it in the service definition file (CSDEF)
5. Use your application's client ID and this certificate to acquire token and start reading sensitive information from Azure Key Vault.

可以在此处找到示例代码:

Sample Code is available here: Authenticating to Azure AD in daemon apps with certificates

重要的代码片段

// Initialize the Certificate Credential to be used by ADAL.
X509Certificate2 cert = ReadCertificateFromStore(certName);

// Then create the certificate credential client assertion.
certCred = new ClientAssertionCertificate(clientId, cert);

// Acquire Auth token for talking to Azure KeyVault..
result = await authContext.AcquireTokenAsync(todoListResourceId, certCred);

这篇关于保护Azure云服务配置中的敏感信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！