如何安全地验证我自己托管的本地Windows服务中使用的库? [英] How to securely authenticate my library used in self-hosted, on-prem Windows service?
问题描述
我写了一个将在多个Windows服务中使用的C#库。该库使用app.config中定义的当前(开发期间)的秘密很少。我们希望将它们移动到Azure Key Vault中。但是,目前尚不清楚在本地(不在Azure中)的本地/网络帐户下运行的自托管
服务如何对自己进行身份验证以访问Azure Key Vault,而不会在其配置文件中引入另一个秘密。有人可以指出描述该情景的现有文章吗?
问候,德米特里
< blockquote>
您可以尝试使用Service Principal从您的内部部署访问 Azure Key Vault。
对于服务主体,您需要使用Azure门户在Azure AD租户中注册新应用程序
应用程序注册页面。
创建密钥保管库后,您可以在Azure密钥保管库中创建新的访问策略,并为您已注册的应用程序
提供相应的密钥/机密权限。 您可以通过门户网站实现相同目标,也可以使用PowerShell执行相同操作。请参阅
page 使用PowerShell实现相同目标。
现在,在您的代码中使用Azure Key Vault SDK和Azure AD身份验证库(ADAL),您可以验证和访问Azure Key Vault
密钥/机密。有关实施细节,请参阅
GitHub示例。
I wrote a C# library that is going to be used in multiple Windows services. The library uses few secrets that are currently (during development) defined in app.config. We want to move them into Azure Key Vault. However it is not clear how those self-hosted services, running under local/network accounts on premises (not in Azure) can authenticate themselves to get access to Azure Key Vault without introducing yet another secret in their config files. Can somebody point to existing article describing that scenario?
Regards, Dmitry
You can try using Service Principal to access the Azure Key Vault from your on-premises. For a Service Principal, you need to register a new application in your Azure AD tenant using Azure portal Application registrations page.
Once you create a key vault you can create a new access policy in Azure Key Vault and provide respective Key/Secret Permissions to the application you have registered. You can achieve the same through the portal or you can use PowerShell to do the same. Please refer to page to achieve the same using PowerShell.
Now, using Azure Key Vault SDK along with Azure AD Authentication Library (ADAL) in your code you can authenticate and access Azure Key Vault key/secrets. Please refer to GitHub sample for implementation details.
这篇关于如何安全地验证我自己托管的本地Windows服务中使用的库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
