使用MSI从本地Service Fabric群集访问Key Vault [英] Access Key Vault from local Service Fabric cluster with MSI

问题描述

我想通过托管服务标识(MSI)从我的Service Fabric应用程序访问密钥库.我已经在Azure门户中设置的虚拟机规模上启用了MSI，并为其提供了对我的Key Vault资源的访问权限.这就像云中的魅力一样.但是，我的本地开发环境遇到了问题.

I want to access the Key Vault from my Service Fabric application via Managed Service Identity (MSI). I have enabled MSI on the virtual machine scale set in the Azure Portal and given it access to my Key Vault resource. This works like a charm up in the cloud. However, I am having problems with my local develop environment.

据我了解，我可以授予自己对Key Vault的访问权限，并在Azure CLI中运行az login. las，这在本地Service Fabric群集中运行应用程序时不起作用.我认为这是因为本地群集在NETWORK SERVICE帐户下运行.

As far as I understand, I can grant myself access to the Key Vault and run az login in Azure CLI. Alas, this doesn't work when running the application in a local Service Fabric cluster. I assume it is because a local cluster runs under the NETWORK SERVICE account.

如何使用MSI从本地群集访问Key Vault?

How can I access the Key Vault from my local cluster with MSI?

推荐答案

我假设您正在使用 Microsoft.Azure.Services.AppAuthentication库以使用MSI来对令牌保管库进行身份验证来获取令牌，并且该方法正在Azure上运行.如果是这样，则可以在本地开发环境上运行相同的完全相同的代码.该库将自动切换为在Azure上使用MSI.您可以在此处

I am assuming you are using the Microsoft.Azure.Services.AppAuthentication library to get a token using MSI to authenticate to Key Vault, and this is working on Azure. If so, you can run the same exact code on local development environment. The library will automatically switch to using MSI on Azure. You can find documentation here

注意:开发在当前用户下运行的应用程序时，MSI场景的本地开发要容易得多.应用服务.在这种情况下，您可以使用Azure CLI/Visual Studio帐户进行本地开发.您不需要创建单独的服务主体.由于本地群集在网络服务帐户下运行，因此Azure CLI/Visual Studio无法用于Service Fabric本地开发.

Note: Local development for MSI scenarios is much easier when developing applications that run under the current user, e.g. App Services. In such cases you can use Azure CLI/ Visual Studio account for local development. You do not need to create a separate service principal. Azure CLI/ Visual Studio do not work for Service Fabric local development, since local cluster runs under Network Service account.

对于Service Fabric方案，请按照以下步骤操作:

For Service Fabric scenarios, please follow these steps:

1. 创建服务主体并授予对Key Vault的访问权限. 您有两个选择.证书具有更好的安全性，但难做一点.

1. Create a service principal and give access to Key Vault. You have two options. Certificate is better w.r.t security, but slightly harder to do.

选项1:创建带有证书的服务主体.确保为网络服务帐户或用于在本地运行结构的任何帐户提供对证书的访问.

Option 1: Create a service principal with a certificate. Make sure you give Network Service account or whatever account is used to run fabric locally access to the certificate. Refer for details on how to give access.

OR

选项2:创建一个名为"AzureServicesAuthConnectionString"的环境变量. 请参阅关于为服务结构创建环境变量.

Create an environment variable called "AzureServicesAuthConnectionString". Refer this on creating environment variables for service fabric.

如果使用证书，请将"AzureServicesAuthConnectionString"设置为

If using certificate, set "AzureServicesAuthConnectionString" to

RunAs = App; AppId = {AppId}; TenantId = {TenantId}; CertificateThumbprint = {Thumbprint}; CertificateStoreLocation = {LocalMachine或CurrentUser}

RunAs=App;AppId={AppId};TenantId={TenantId};CertificateThumbprint= {Thumbprint};CertificateStoreLocation={LocalMachine or CurrentUser}

如果使用密码，请将"AzureServicesAuthConnectionString"设置为

If using password, set "AzureServicesAuthConnectionString" to

RunAs = App; AppId = {AppId}; TenantId = {TenantId}; AppKey = {ClientSecret}

RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={ClientSecret}

如果上述步骤不起作用，请发布您收到的错误.

If above steps do not work, please post the error you get.

这篇关于使用MSI从本地Service Fabric群集访问Key Vault的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！