如何从本地 asp.net 应用程序在 Azure Key Vault 中设置机密 [英] How to set a secret in Azure Key Vault from a local asp.net application

问题描述

I have a local asp.net core 3.1 application that I want to set a secret in an Azure Key Vault. The following is the code I used from Microsoft:

string secretName = "xxSecret";

string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
var kvUri = "https://" + keyVaultName + ".vault.azure.net";
var secretClient = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

string secretValue = "test";
secretClient.SetSecret(secretName, secretValue);
KeyVaultSecret secret = secretClient.GetSecret(secretName);

When I try to set a secret, I get the following error in Postman:

Azure.Identity.AuthenticationFailedException: DefaultAzureCredential authentication failed.
 ---> Azure.Identity.AuthenticationFailedException: SharedTokenCacheCredential authentication failed.
 ---> Microsoft.Identity.Client.MsalServiceException: AADSTS70002: The client does not exist or is not 
enabled for consumers. If you are the application developer, configure a new application through the 
App Registrations in the Azure Portal

I don't want to register this app, yet as I want to debug this locally. I'm guessing the issue is that I don't a correct Access Policy set up. How do I grant my local app access?

(Before I run the app locally, I authenticate to my Azure directory using Azure PowerShell. )

解决方案

How do I grant my local app access?

For local development, AzureServiceTokenProvider fetches tokens using Visual Studio, Azure CLI, or Azure AD Integrated Authentication. Each option is tried sequentially and the library uses the first option that succeeds.

To authenticate by using Visual Studio:

Sign in to Visual Studio and use Tools > Options to open Options.

Select Azure Service Authentication, choose an account for local development, and select OK.

On azure, you need to go to your Azure keyvault. Click Access Policies and add your account which login vs before with Get and Set permission for secret. Then you could use your code to get the secret value.

Also you could use AzureServiceTokenProvider to get secret without initializing your secret value.

var KeyVaultUrl = "https://xxx.vault.azure.net/secrets/xxx/xxxxxxxxxxxxxx";
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = keyVaultClient.GetSecretAsync(KeyVaultUrl).Result.Value;

这篇关于如何从本地 asp.net 应用程序在 Azure Key Vault 中设置机密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！