使用客户端密钥检索Azure KeyVault密钥 [英] Retrieve Azure KeyVault secret using client secret

问题描述

我正在尝试各种Azure功能，目前想从KeyVault中检索秘密.

直截了当:

我正在使用

然后，我开发了一小段代码，应该可以检索所需的秘密:

 公共类AzureAuthentication{公共异步Task< string>GetAdminPasswordFromKeyVault(){const string clientId ="--my-client-id--";const string tenantId ="--my-tenant-id--";const string clientSecret ="--my-client-secret--";var凭证=新的ClientSecretCredential(tenantId，clientId，clientSecret);var client = new SecretClient(new Uri("https://mykeyvaultresource.vault.azure.net")，凭证)；var secret =等待客户端.GetSecretAsync("admincreds");返回secret.Value.Value;}} 

但是，当我尝试执行此操作时，出现AccessDenied错误:

我是否在这里错过了明显痛苦的事情?还是有一些延迟(此刻为30分钟以上)需要应用KeyVault资源中访问策略"屏幕上的更改?

解决方案

我测试了您的代码并获得了 Get 权限，效果很好.

从屏幕快照中看，您似乎没有将与AD App相关的正确服务主体添加到访问策略.

如果添加与AD App相关的服务主体，它将显示为 APPLICATION ，而不是 COMPOUND IDENTITY .

因此，当您添加它时，您可以直接搜索客户端ID(即应用程序ID)或应用程序注册的名称，请确保添加正确的一个.

I'm experimenting with various Azure features and currently want to retrieve a secret from KeyVault.

Straight to the case:

I'm using this nuget package to interact with my azure resources.

I've developed a simple .NET Core console app and run it locally.

I have a KeyVault resource with one secret defined which is active and not expired.

I've registered an App in AAD so my locally shipped .NET Core console app has an identity within AAD.

Than I've created a "client secret" within this registered app in AAD to use it to authenticate myself as an app.

After that I've added access policy in my KeyVault resource to allow GET operation for secrets for this registered app:

Then I've developed a small piece of code which should retrieve the desired secret:

public class AzureAuthentication
{
    public async Task<string> GetAdminPasswordFromKeyVault()
    {
        const string clientId = "--my-client-id--";
        const string tenantId = "--my-tenant-id--";
        const string clientSecret = "--my-client-secret--";
        var credentials = new ClientSecretCredential(tenantId, clientId, clientSecret);
        var client = new SecretClient(new Uri("https://mykeyvaultresource.vault.azure.net"), credentials);
        var secret = await client.GetSecretAsync("admincreds");
        return secret.Value.Value;
    }
}

However when I'm trying to do this I'm getting an AccessDenied error:

Am I missing something painfully obvious here? Or there is some latency (>30 min for this moment) for which changes from Access policies screen in KeyVault resource are applied?

解决方案

I test your code and Get permission, it works fine.

From your screenshot, it looks you didn't add the correct service principal related to the AD App to the Access policies.

If you add the service principal related to the AD App, it will appear as APPLICATION, not COMPOUND IDENTITY.

So when you add it, you could search for the client Id(i.e. application Id) or the name of your App Registration directly, make sure you add the correct one.

这篇关于使用客户端密钥检索Azure KeyVault密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！