存储Azure Vault客户端ID和客户端密钥 [英] Storing Azure Vault Client ID and Client Secret
问题描述
我正在使用.NET Core 2.0和ASP.NET Core 2.0进行应用程序开发。 测试应用程序是.NET Core控制台应用程序。我正在编写的核心代码是类库。一旦正确测试。我之所以选择这样做,是因为我暂时不会使用它了(它将代替旧的ASPNET代码)。
I am using .NET Core 2.0 and ASP.NET Core 2.0 for application development. The "test" application is a .NET Core Console application. The core code I am writing is a class library. Once proper testing. I choose to do this since I won't be putting this to use for awhile (it's replacing older ASPNET code).
无论如何,由于我必须使用大量用于各种服务的API密钥,因此我决定使用Microsoft Azure密钥保管库存储密钥。我已完成所有设置,并了解其工作原理。测试应用程序使用测试的Azure帐户,因此并不重要。而且由于这是在替换早期代码,而且还处于起步阶段,所以我是唯一的开发人员。
Anyway, since I have to work with a LOT of API keys for various services I decided to use Microsoft Azure Key Vault for storing the keys. I have this all setup and understand how this works. The test application uses a test Azure account so it's not critical. And since this is replacing legacy code and it's in the infancy, I am the sole developer.
基本上,我遇到了这个问题。据我所知,Azure Key Vault上没有太多信息。许多示例将 Client ID and Secret (客户ID和机密)存储在纯文本 json文件中(例如: https://www.humankode.com/asp-net-core/如何使用网络核心秘密存储天蓝色密钥库中的内容)。我真的不明白该如何确保安全。如果有人要获得这些密钥,他们可以轻松访问Azure的存储信息,对吗?
Basically, I'm running into this issue. There's not too much information on Azure Key Vault from what I can see. A lot of examples are storing the Client ID and Secret in a plain text json file (for example: https://www.humankode.com/asp-net-core/how-to-store-secrets-in-azure-key-vault-using-net-core). I really don't understand how this can be secure. If someone were to get those keys they could easily access stored information Azure, right?
Microsoft MSDN拥有一个可授予访问权限的powershell命令(我丢失了原始链接,我能找到的最接近的东西: https://www.red-gate.com/simple-talk/cloud/platform-as-a-service/setting-up-and-configuring-an-azure-key- Vault / )我的开发操作系统是Windows 10,主要服务器操作系统是Debian。
The Microsoft MSDN has a powershell command that grants access (I lost the original link, this is closest I can find: https://www.red-gate.com/simple-talk/cloud/platform-as-a-service/setting-up-and-configuring-an-azure-key-vault/) My development operating system is Windows 10 and my primary server operating system is Debian.
我将如何处理?
推荐答案
是的,你是正确,纯文本配置文件只能在开发期间使用,不能用于生产目的。通常,可用选项取决于您托管应用程序的位置和方式。
Yes, you are right, the plain text config file could be used only during development, not for production purpose. And in general, available options depend on where and how you host an App.
如果您有Azure Web App,则至少有下一个内置选项(<文档中的href = https://docs.microsoft.com/zh-cn/azure/key-vault/key-vault-use-from-web-application rel = noreferrer> ) :
If you have an Azure Web App, you have at least next built-in options (from the documentation):
在Azure门户中为AppSettings添加ClientId和ClientSecret值。这样,实际值将不在web.config中,而是通过您具有单独访问控制功能的Portal进行保护。这些值将替换您在web.config中输入的值。确保名称相同。
add the ClientId and ClientSecret values for the AppSettings in the Azure portal. By doing this, the actual values will not be in the web.config but protected via the Portal where you have separate access control capabilities. These values will be substituted for the values that you entered in your web.config. Make sure that the names are the same.
通过使用客户端ID和证书而不是客户端ID和客户端密钥来认证Azure AD应用程序。以下是在Azure Web应用程序中使用证书的步骤:
authenticate an Azure AD application is by using a Client ID and a Certificate instead of a Client ID and Client Secret. Following are the steps to use a Certificate in an Azure Web App:
- 获取或创建证书
- 将证书与Azure AD应用程序关联
- 将代码添加到Web应用程序以使用证书
- 将证书添加到Web应用程序
- Get or Create a Certificate
- Associate the Certificate with an Azure AD application
- Add code to your Web App to use the Certificate
- Add a Certificate to your Web App
您可能还会发现一种使用env变量存储凭据的方法。仅当您可以保证无法在生产机上对env变量进行快照时,这才可以。有关更多详细信息,请查看被认为对您的秘密有害的环境变量。
最后一件事:还有一种基于该思想的技术,您只需要存储/传递一个ClientSecret值ClientId应该根据托管应用程序的机器/容器的详细信息构造(例如docker容器ID)。我已经找到了Hashicorp Vault和AWS托管的应用程序的示例,但总体思路是相同的:使用保险柜进行秘密管理
And the last one thing: there is also a technic that based on the idea, that you need to store/pass only a ClientSecret value while ClientId should be constructed based on machine/container details where the App is hosted (e.g. docker container id). I have found an example for Hashicorp Vault and an App hosted on AWS, but the general idea is the same: Secret management with Vault
这篇关于存储Azure Vault客户端ID和客户端密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
