带有 Azure Key Vault 的本地 ASP.NET Framework Web 应用 [英] On-prem ASP.NET Framework web app with Azure Key Vault
问题描述
我们正在努力保护我们内部 ASP.NET Framework Web 应用程序中的应用程序机密.提供给我的最初计划是使用 Azure Key Vault.我使用我的 Visual Studio Enterprise 订阅开始了开发工作,这似乎在本地运行良好.
我们在公司的生产环境中创建了第二个 Key Vault,同样,我可以在本地使用它,因为我自己的 AAD 帐户可以访问该保管库.但是,在这个项目(4.7.2 Web 表单 Web 应用程序)中,我没有看到任何指定我们为应用程序创建的访问策略主体的方法.
我的 google-fu 失败了:是否有任何文档可以解释如何执行此操作?这种情况——Azure 环境之外的本地 ASP.NET Framework 应用,访问 Key Vault 以获取配置值——甚至可能吗?
谢谢.
更新:我无法找到允许我从添加连接服务"中使用访问策略主体的解决方案.对话.我有点惊讶它不在那里,或者隐藏得足以躲避我.所以我最终编写了自己的 Key Vault Secret-Reader 函数,类似于标记的答案.希望这对某人有所帮助...
在这种情况下,您的选择是使用服务主体访问密钥库,请按照以下步骤操作,我的示例从密钥库中获取密钥.
1.
We're in the process of trying to secure our application secrets in our internal ASP.NET Framework web applications. The initial plan offered to me was to use Azure Key Vault. I began development work using my Visual Studio Enterprise subscription, and that seems to work fine, locally.
We've created a second Key Vault in our company's production environment, and again, I can use it locally, because my own AAD account has access to the vault. However, in this project (4.7.2 Web Forms web application), I don't see any means of specifying the Access Policy principal that we've created for the application.
My google-fu is failing me: is there any documentation that explains how to do this? Is this scenario -- an on-prem, ASP.NET Framework app outside of the Azure environment, accessing Key Vault for confiugation values -- even possible?
Thanks.
UPDATE: I was unable to find a solution that would allow me to use the Access Policy principal from within the "Add Connected Service" dialog. I'm somewhat surprised it's not in there, or is hidden enough to elude me. So I ended up writing my own Key Vault Secret-Reader function, similar to the marked answer. Hope this helps someone...
In this scenario, your option is to use the service principal to access the keyvault, please follow the steps below, my sample get the secret from the keyvault.
1.Register an application with Azure AD and create a service principal.
2.Get values for signing in and create a new application secret.
3.Navigate to the keyvault in the portal -> Access policies -> add the correct secret permission for the service principal.
4.Then use the code below, replace the <client-id>, <tenant-id>, <client-secret> with the values got before.
using System;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
namespace test1
{
class Program
{
static void Main(string[] args)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;AppId=<client-id>;TenantId=<tenant-id>;AppKey=<client-secret>");
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = kv.GetSecretAsync("https://keyvaultname.vault.azure.net/", "mySecret123").GetAwaiter().GetResult();
Console.WriteLine(secret);
}
}
}
这篇关于带有 Azure Key Vault 的本地 ASP.NET Framework Web 应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
