如何在Azure中正确存储连接字符串？ [英] How to properly store connection strings in Azure?

问题描述

SQL天蓝色连接字符串始终包含一个密码（因为Azure SQL Server不支持操作系统身份验证），因此将其保存在 web.config 文件中是不安全的。在网上可以找到的典型建议是将它们移至云配置设置，这意味着在 ServiceDefinition的 ServiceDefinition / WebRole / ConfigurationSettings 部分中声明一个设置.csdef 文件，以便您可以在门户中对其进行编辑：

SQL azure connection strings always include a password (as Azure SQL Server doesn't support OS authentication) which makes it unsafe to keep them in web.config files. A typical recommendation you can find on the net is to move them to cloud configuration settings which means declaring a setting in ServiceDefinition/WebRole/ConfigurationSettings section of ServiceDefinition.csdef file so that you can edit them in the portal:

此方法的问题是，每当您重新部署站点时，您在门户中设置的设置都会被 ServiceConfiguration。*。cscfg中的值覆盖。 。当然，您可以将连接字符串放入文件中，但这毫无意义，因为您仍将秘密保留在源代码控制中。

The problem with this approach is whenever you re-deploy your site the settings you set in the portal get overriden with what values are in ServiceConfiguration.*.cscfg. Of course, you can put your connection strings to the file but that's pointless as you still keep the secrets in a source control.

Azure Key Vault 在这里可能是一个很好的解决方案，但我想在尝试此方法之前先探索其他选项。您会建议什么？

Azure Key Vault could be a good solution here but I'd like to explore other options before going this route. What would you recommend?

推荐答案

为服务创建托管身份，然后使用密钥保险库将访问策略添加到密钥保险库。无需存储客户端密钥，所有配置都以安全方式存储

Create managed identities for your service and Use Key vault to add the access policy to key vault . NO need to store client Secret and all the configuration is stored in secured way

这篇关于如何在Azure中正确存储连接字符串？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！