无法从桌面控制台应用程序访问Azure Key Vault [英] Can't Access Azure Key Vault from desktop console app
问题描述
我无法从Azure密钥库访问机密.我怀疑问题在于我对术语没有足够的了解,因此我提供给各种API调用的参数是错误的.
I am having trouble accessing a secret from an Azure key vault. I suspect the problem is that I don't adequately understand the terminology, so the arguments I'm supplying to various API calls are wrong.
这是我正在使用的基本代码:
Here's the basic code I'm using:
protected async Task<string> GetCommunityKeyAsync( UserConfiguration user )
{
var client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback( GetAccessTokenAsync ),
new HttpClient() );
// user.VaultUrl is the address of my key vault
// e.g., https://previously-created-vault.vault.azure.net
var secret = await client.GetSecretAsync( user.VaultUrl, "key-to-vault-created-in-azure-portal" );
return secret.Value;
}
private async Task<string> GetAccessTokenAsync( string authority, string resource, string scope )
{
var context = new AuthenticationContext( authority, TokenCache.DefaultShared );
// this line throws a "cannot identify user exception; see
// below for details
var result =
await context.AcquireTokenAsync( resource, "id-of-app-registered-via-azure-portal", new UserCredential() );
return result.AccessToken;
}
这里是抛出异常:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException
HResult = 0x80131500消息= unknown_user:无法识别已记录 在用户Source = Microsoft.IdentityModel.Clients.ActiveDirectory
中 StackTrace:位于 Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenNonInteractiveHandler.d__4.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处
在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务) Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__57.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处
在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务) Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__37.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处
在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务) Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.d__0.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处
在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务),位于System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at NextDoorScanner.ScannerJob.<GetAccessTokenAsync>d__21.MoveNext() in C:\Programming\CommunityScanner\CommunityScanner\ScannerJob.cs:line 197 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable
1.ConfiguredTaskAwaiter.GetResult() 在 Microsoft.Azure.KeyVault.KeyVaultCredential.d__9.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处
在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务) System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultCredential.<ProcessHttpRequestAsync>d__10.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
1.ConfiguredTaskAwaiter.GetResult() 在 Microsoft.Azure.KeyVault.KeyVaultClientExtensions.d__11.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable
在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务)在System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at NextDoorScanner.ScannerJob.<GetCommunityKeyAsync>d__20.MoveNext() in C:\Programming\CommunityScanner\CommunityScanner\ScannerJob.cs:line 188 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter
1.GetResult() 在NextDoorScanner.NextDoorScannerJob.d__4.MoveNext()中 C:\ Programming \ CommunityScanner \ CommunityScanner \ NextDoorScannerJob.cs:line 46时 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务),位于System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() 在NextDoorScanner.Program.Main(String [] args)中 C:\ Programming \ CommunityScanner \ CommunityScanner \ Program.cs:第22行
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException
HResult=0x80131500 Message=unknown_user: Could not identify logged in user Source=Microsoft.IdentityModel.Clients.ActiveDirectory
StackTrace: at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenNonInteractiveHandler.d__4.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__57.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__37.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.d__0.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at NextDoorScanner.ScannerJob.<GetAccessTokenAsync>d__21.MoveNext() in C:\Programming\CommunityScanner\CommunityScanner\ScannerJob.cs:line 197 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable
1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultCredential.d__9.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultCredential.<ProcessHttpRequestAsync>d__10.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.d__11.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at NextDoorScanner.ScannerJob.<GetCommunityKeyAsync>d__20.MoveNext() in C:\Programming\CommunityScanner\CommunityScanner\ScannerJob.cs:line 188 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter
1.GetResult() at NextDoorScanner.NextDoorScannerJob.d__4.MoveNext() in C:\Programming\CommunityScanner\CommunityScanner\NextDoorScannerJob.cs:line 46 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() at NextDoorScanner.Program.Main(String[] args) in C:\Programming\CommunityScanner\CommunityScanner\Program.cs:line 22
我进行了一些配置,我认为涉及通过powershell将桌面注册为Azure用户:
I did some configuration, I thought involving registering my desktop as an Azure user, via powershell:
Login-AzureRmAccount
// as I recall, this next line complained about the app ID already being defined
New-AzureRmADServicePrincipal -ApplicationId 'id-of-app-previously-defined-via-azure-portal'
Set-AzureRmKeyVaultAccessPolicy -VaultName 'vault-name' -ServicePrincipalName id-of-app-previously-defined-via-azure-portal -PermissionsToSecrets Get
我不清楚是否应该向GetSecretAsync()提供保管库密钥.我还想知道我是否应该做其他事情,而不是将新创建的UserCredential传递给AcquireTokenAsync().最后,我在网上看到了有关创建用于密钥保管库的存储帐户的参考,虽然我做过,但是我没有创建我在存储帐户"中使用的保管库.而且我没有在代码中标识存储帐户.
I'm unclear if I'm supposed to be providing the vault key to GetSecretAsync(). I also wonder if I'm supposed to be doing something other than passing a newly-created UserCredential to AcquireTokenAsync(). Finally, I see references online to creating a storage account for use with key vaults, which I did, but I didn't create the vault I'm using "in" a storage account. And I'm not identifying the storage account in the code.
可以提供帮助,也可以参考一个很好的示例,它可以从控制台桌面应用访问密钥库.
Help, or a reference to a really good example accessing key vaults from a console desktop app would be appreciated.
推荐答案
Mark的博客非常有帮助,我从该博客中学到了如何做,下面是截至2018年11月6日的步骤和代码.
Mark's blog was extremely helpful, from that blog I learnt how to do it and below are the steps and code as of 6-Nov-2018.
步骤摘要:
- 注册应用
- 在此新注册的应用程序内创建密钥
- 创建Key Vault并为应用分配权限
- 在金库中创建秘密
通过代码访问它们
using Microsoft.Azure.KeyVault;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;
namespace Experiments.AzureKeyValut
{
internal class AzureKeyValueDemo
{
private static async Task Main(string[] args)
{
await GetSecretAsync("https://YOURVAULTNAME.vault.azure.net/", "YourSecretKey");
}
private static async Task<string> GetSecretAsync(string vaultUrl, string vaultKey)
{
var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient());
var secret = await client.GetSecretAsync(vaultUrl, vaultKey);
return secret.Value;
}
private static async Task<string> GetAccessTokenAsync(string authority, string resource, string scope)
{
//DEMO ONLY
//Storing ApplicationId and Key in code is bad idea :)
var appCredentials = new ClientCredential("YourApplicationId", "YourApplicationKey");
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var result = await context.AcquireTokenAsync(resource, appCredentials);
return result.AccessToken;
}
}
}
如何注册您的应用:
如何创建Azure应用的密码并获取应用的ID
如何创建Azure密钥保管库和分配权限
如何创建Azure机密
如何通过代码访问它
这篇关于无法从桌面控制台应用程序访问Azure Key Vault的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!