从Azure密钥保管库获取秘密 [英] Getting secret from Azure key vault

问题描述

我正试图从蔚蓝的钥匙库中获取秘密.

I'm trying to get secret from azure key vault.

所以我找到了下面的代码，但出现了错误.

So i found the code below but got an error.

AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE);

KeyVaultClient keyVaultClient = new KeyVaultClient(credentials);

String secret =  keyVaultClient.getSecret("uri", "secretName").value(); 

我遇到了这样的错误:

Error >>> endpoint == null

我也尝试过这种方式:

AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE, "MSI Url????", "secret???");
KeyVaultClient keyVaultClient = new KeyVaultClient(credentials);

String secret =  keyVaultClient.getSecret("keyVault Uri", "secret name").value(); 

log.debug("secret=========",secret);

我是Azure的新手，现在我找不到解决方案....

I'm new to Azure and now i cannot find the solutions....

我该如何解决? 另外我如何找到msi端点和机密?

How can i solve it? Also how can i find msi endpoint and secret??

谢谢.

推荐答案

您正在使用

You were using managed identity. You do not need to provide any endpoint or secret.

您唯一需要做的就是

The only thing you need to do is to enable system identity in your web app.

在那之后，您将获得服务主体的对象ID.那么您可以在密钥库中为该服务主体分配访问策略.

After that, you will get an object id of a service principal. then you can assign access policy in your key vault for that service principal.

最后，您可以在Spring Boot应用程序中访问密钥库和机密.

Finally, you can access your key vault and secret in your spring boot application.

更新:

如果无法创建托管身份，则可以使用Azure AD库获取访问令牌.然后使用该令牌访问密钥库.

If you cannot create managed identity, then you can get an access token with Azure AD library. And then use that token to access key vault.

这是一个代码示例:

public class KeyVaultTest {

    // Add access policy to user, and access key vault as user
    private static AuthenticationResult getAccessTokenAsUser(String authorization, String resource) throws InterruptedException, ExecutionException, MalformedURLException {

        String clientId = "1950a258-227b-4e31-a9cf-717495945fc2";
        String username = "your user id, jack@hanxia.onmicrosoft.com";
        String password = "your password,  ********";
        AuthenticationResult result = null;

        //Starts a service to fetch access token.
        ExecutorService service = null;
        try {
            service = Executors.newFixedThreadPool(1);
            AuthenticationContext context = new AuthenticationContext(authorization, false, service);
            Future<AuthenticationResult> future = context.acquireToken(resource, clientId, username, password, null);
            result = future.get();
        } finally {
            service.shutdown();
        }

        if (result == null) {
            throw new RuntimeException("Authentication results were null.");
        }

        return result;
    }

    public static void main(String[] args) {
        String vaultBase = "https://keyvault279.vault.azure.net/";

        KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultCredentials(){
            @Override
            public String doAuthenticate(String authorization, String resource, String scope) {
                String token = null;
                try {
                    AuthenticationResult authResult = getAccessTokenAsUser(authorization, resource);
                    token = authResult.getAccessToken();
                } catch (Exception e) {
                    e.printStackTrace();
                }
                return token;
            }
        });

        SecretBundle test = keyVaultClient.getSecret(vaultBase, "test");
        System.out.println(test.value());
    }
}

这篇关于从Azure密钥保管库获取秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！