Azure Key Vault/存储/功能集成 [英] Azure Key Vault / Storage / Function integration
问题描述
我们正在使用Azure功能,该功能要求至少访问1个Azure存储位置. Azure存储位置必须支持表,因此没有Azure AD身份验证.具有凭据信息的存储帐户的连接字符串必须对环境中的功能"可用.良好的安全惯例要求我们以一定的频率旋转密钥.我们目前正在将密钥存储在Key Vault中,并且希望继续这样做,而不是将密钥存储在Azure门户中.
We are using Azure Functions, which require access to at least 1 Azure Storage location. The Azure Storage Location must support tables, So Azure AD Auth is out. The Connection String for the Storage account, with credential information, must be available to the Function on the environment. Good security practices dictate that we rotate the key with some frequency. We are currently storing keys in Key Vault, and want to continue doing so, rather than storing keys in the Azure Portal.
我们是否纠正了Azure AD身份验证在这里无效的原因,因为它产生的令牌不能与表一起使用,而函数需要这样做?
Are we correct that Azure AD authentication is not valid here since the tokens it produces are not able to be used with tables, which Functions requires?
似乎理想的方法是在Microsoft.Azure.Storage.CloudStorageAccount中添加新设置
It would seem that the ideal approach would be to add a new setting in Microsoft.Azure.Storage.CloudStorageAccount,
internal const string AccountKeyVaultLocationSettingString = "AccountKeyVaultLocation";
然后向ParseImpl添加逻辑,以便可以将表示机密的KeyVault URL传递到此方法中,并从那里查询密钥.
And then add logic to ParseImpl so that a KeyVault URL representing the secret could be passed into this method, and it would query the key from there.
另一种选择是覆盖Microsoft.Azure.WebJobs.Script.Scaling.StorageConnectionString(和类似的连接字符串设置),以便它将查询KeyVault.
Another option would be to over-ride Microsoft.Azure.WebJobs.Script.Scaling.StorageConnectionString (and similar connection string settings) so that it will query KeyVault.
可以将其添加到存储库中吗?什么是ETA?您欢迎为此做出贡献吗?
Could this be added to the Storage Library? What would be an ETA? Would you welcome contribution on this?
推荐答案
In fact , using this way, you can get your Connection String successfully without version numbers . However, as you said, webapp will load appsettings once and it will not be updated even though your Connection String rotated in Key Vault: We should restart webapp to load latest Connection String version from KV .
您可以使用 Azure应用配置(这是一项集中式配置服务),您无需重新启动网络应用即可轻松地从KV中读取最新的连接字符串.但是,您应该注意Azure应用程序配置连接字符串的安全性,如果需要经常对其进行旋转,我们将返回.
You can use Azure app configuration which is a centralized configuration service and you can read latest Connection String from KV easily without restarting your webapp. However, you should care about the security of Azure app configuration connection string ,if you need to rotate it frequently , we goes back.
也许我使用Azure函数MSI从KV获取连接字符串是我在这里知道的最好方法,请尝试以下代码:
Maybe using Azure function MSI to get connection string from KV is the best way I know here, try the code below :
using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.Http;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault.Models;
namespace FunctionWithAppConfig
{
public static class Function1
{
[FunctionName("Function1")]
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req, ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net");
KeyVaultClient kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
SecretBundle sec = await kv.GetSecretAsync("<your key vault url without version >");
var StorageConn = sec.Value;
// connect to your storage ...
return new OkObjectResult(StorageConn);
}
}
}
这篇关于Azure Key Vault/存储/功能集成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
