存储 Azure Vault 客户端 ID 和客户端密码 [英] Storing Azure Vault Client ID and Client Secret
问题描述
我使用 .NET Core 2.0 和 ASP.NET Core 2.0 进行应用程序开发.测试"应用程序是一个 .NET Core 控制台应用程序.我正在编写的核心代码是一个类库.一旦正确测试.我选择这样做是因为我暂时不会使用它(它正在替换旧的 ASPNET 代码).
I am using .NET Core 2.0 and ASP.NET Core 2.0 for application development. The "test" application is a .NET Core Console application. The core code I am writing is a class library. Once proper testing. I choose to do this since I won't be putting this to use for awhile (it's replacing older ASPNET code).
无论如何,由于我必须为各种服务使用大量 API 密钥,因此我决定使用 Microsoft Azure Key Vault 来存储密钥.我已经完成了所有设置并了解这是如何工作的.测试应用程序使用测试 Azure 帐户,因此它并不重要.由于这正在取代遗留代码,而且还处于起步阶段,因此我是唯一的开发人员.
Anyway, since I have to work with a LOT of API keys for various services I decided to use Microsoft Azure Key Vault for storing the keys. I have this all setup and understand how this works. The test application uses a test Azure account so it's not critical. And since this is replacing legacy code and it's in the infancy, I am the sole developer.
基本上,我遇到了这个问题.我所看到的关于 Azure Key Vault 的信息并不多.许多示例将客户端 ID 和机密 存储在 纯文本 json 文件中(例如:https://www.humankode.com/asp-net-core/how-to-store-secrets-in-azure-key-vault-using-net-core).我真的不明白这怎么可能是安全的.如果有人获得这些密钥,他们就可以轻松访问 Azure 存储的信息,对吗?
Basically, I'm running into this issue. There's not too much information on Azure Key Vault from what I can see. A lot of examples are storing the Client ID and Secret in a plain text json file (for example: https://www.humankode.com/asp-net-core/how-to-store-secrets-in-azure-key-vault-using-net-core). I really don't understand how this can be secure. If someone were to get those keys they could easily access stored information Azure, right?
Microsoft MSDN 有一个授予访问权限的 powershell 命令(我丢失了原始链接,这是我能找到的最接近的链接:https://www.red-gate.com/simple-talk/cloud/platform-as-a-service/setting-up-and-configuring-an-azure-key-vault/) 我的开发操作系统是 Windows 10,我的主要服务器操作系统是 Debian.
The Microsoft MSDN has a powershell command that grants access (I lost the original link, this is closest I can find: https://www.red-gate.com/simple-talk/cloud/platform-as-a-service/setting-up-and-configuring-an-azure-key-vault/) My development operating system is Windows 10 and my primary server operating system is Debian.
我将如何处理这个问题?
How would I approach this?
推荐答案
是的,你说得对,纯文本配置文件只能在开发期间使用,不能用于生产目的.一般来说,可用选项取决于您托管应用的位置和方式.
Yes, you are right, the plain text config file could be used only during development, not for production purpose. And in general, available options depend on where and how you host an App.
如果你有 Azure Web 应用程序,你至少有下一个内置选项 (来自文档):
If you have an Azure Web App, you have at least next built-in options (from the documentation):
为 Azure 门户中的 AppSettings 添加 ClientId 和 ClientSecret 值.通过这样做,实际值将不在 web.config 中,而是通过具有单独访问控制功能的门户进行保护.这些值将替换您在 web.config 中输入的值.确保名称相同.
add the ClientId and ClientSecret values for the AppSettings in the Azure portal. By doing this, the actual values will not be in the web.config but protected via the Portal where you have separate access control capabilities. These values will be substituted for the values that you entered in your web.config. Make sure that the names are the same.
使用客户端 ID 和证书而不是客户端 ID 和客户端密钥对 Azure AD 应用程序进行身份验证.以下是在 Azure Web 应用中使用证书的步骤:
authenticate an Azure AD application is by using a Client ID and a Certificate instead of a Client ID and Client Secret. Following are the steps to use a Certificate in an Azure Web App:
- 获取或创建证书
- 将证书与 Azure AD 应用程序相关联
- 将代码添加到您的 Web 应用程序以使用证书
- 为您的网络应用添加证书
<小时>
您可能还会找到一种使用环境变量来存储凭据的方法.仅当您可以保证无法在 prod 机器上对 env 变量进行快照时,这才可以.查看认为对您的秘密有害的环境变量了解更多详情.
最后一件事:还有一种基于该想法的技术,即您只需要存储/传递一个 ClientSecret 值,而 ClientId 应根据托管应用程序的机器/容器详细信息(例如 docker容器 ID).我找到了一个 Hashicorp Vault 的例子和一个托管在 AWS 上的应用程序,但总体思路是一样的:使用 Vault 进行秘密管理
And the last one thing: there is also a technic that based on the idea, that you need to store/pass only a ClientSecret value while ClientId should be constructed based on machine/container details where the App is hosted (e.g. docker container id). I have found an example for Hashicorp Vault and an App hosted on AWS, but the general idea is the same: Secret management with Vault
这篇关于存储 Azure Vault 客户端 ID 和客户端密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
