如何在Azure中正确存储连接字符串? [英] How to properly store connection strings in Azure?
问题描述
SQL天蓝色连接字符串始终包含一个密码(因为Azure SQL Server不支持操作系统身份验证),因此将其保存在 web.config
文件中是不安全的。在网上可以找到的典型建议是将它们移至云配置设置,这意味着在 ServiceDefinition的
文件,以便您可以在门户中对其进行编辑: ServiceDefinition / WebRole / ConfigurationSettings
部分中声明一个设置.csdef
SQL azure connection strings always include a password (as Azure SQL Server doesn't support OS authentication) which makes it unsafe to keep them in web.config
files. A typical recommendation you can find on the net is to move them to cloud configuration settings which means declaring a setting in ServiceDefinition/WebRole/ConfigurationSettings
section of ServiceDefinition.csdef
file so that you can edit them in the portal:
此方法的问题是,每当您重新部署站点时,您在门户中设置的设置都会被 ServiceConfiguration。*。cscfg中的值覆盖。
。当然,您可以将连接字符串放入文件中,但这毫无意义,因为您仍将秘密保留在源代码控制中。
The problem with this approach is whenever you re-deploy your site the settings you set in the portal get overriden with what values are in ServiceConfiguration.*.cscfg
. Of course, you can put your connection strings to the file but that's pointless as you still keep the secrets in a source control.
Azure Key Vault 在这里可能是一个很好的解决方案,但我想在尝试此方法之前先探索其他选项。您会建议什么?
Azure Key Vault could be a good solution here but I'd like to explore other options before going this route. What would you recommend?
推荐答案
为服务创建托管身份,然后使用密钥保险库将访问策略添加到密钥保险库。无需存储客户端密钥,所有配置都以安全方式存储
Create managed identities for your service and Use Key vault to add the access policy to key vault . NO need to store client Secret and all the configuration is stored in secured way
这篇关于如何在Azure中正确存储连接字符串?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!