检索集成在 httptrigger/queuetrigger -Python 中的 Keyvault Secret [英] Retrieving Keyvault Secret Integrated in a httptrigger/queuetrigger -Python

问题描述

我已经成功地在 httptrigger 中集成了一个秘密.我需要在 python 代码中检索和解析秘密.

I have successfully integrated a secret in a httptrigger. I need to retrieve and parse the secret in a python code.

以下代码返回保管库 ID，而不是密钥.

The following piece of code returns the vault id and not the secret.

1. 如何让它输出一个秘密值?
2. 队列触发器也可以这样做吗?

Http触发器

import logging
import os
import azure.functions as func


def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    test = os.environ["testkeyvault"]
    return func.HttpResponse(
             "This" + test,
             status_code=200
        )

local.settings.json

local.settings.json

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "",
    "FUNCTIONS_WORKER_RUNTIME": "python",
    "testkeyvault": "@Microsoft.KeyVault(SecretUri=https://jjjjj.vault.azure.net/secrets/AzureAuthUrl/xxxxxx)"
  }
}

函数.json

{
  "scriptFile": "__init__.py",
  "bindings": [
    {
      "authLevel": "anonymous",
      "type": "httpTrigger",
      "direction": "in",
      "name": "req",
      "methods": [
        "get",
        "post"
      ]
    },
    {
      "type": "http",
      "direction": "out",
      "name": "$return"
    }
  ]
}

推荐答案

如何让它输出一个秘密值?

How do I get it to output a secret values?

1、创建一个secret，设置值，并获取'secret identifier'，将此@Microsoft.KeyVault(SecretUri=<secret identifier>)设置为你的函数应用的设置.

1, create a secret, set the value, and get the 'secret identifier', set this @Microsoft.KeyVault(SecretUri=<secret identifier>) to the settings of your function app.

2、创建函数应用身份，并让函数身份访问对keyvault有相应的访问策略.

2, create a function app identity, and let the function identity access have the corresponding access policy to the keyvault.

队列触发器也可以这样做吗?

Can the same be done for a queuetrigger?

是的，你可以.基本上，您可以像在 httptrigger 中所做的那样从环境变量中获取它.存储在函数应用配置中的值将作为应用内环境变量读取.如果有keystore引用，只要引用成功，就会返回secret.否则会返回原来的url

Yes, you can. Basically you can get it from the environment variable as what you do in httptrigger. The value stored in the configuration of the function app will be read as an in-app environment variable. If there is a keystore reference, as long as the reference is successful, the secret will be returned. Otherwise, the original url will be returned

这篇关于检索集成在 httptrigger/queuetrigger -Python 中的 Keyvault Secret的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！