从本地运行的Docker容器中的Azure托管身份 [英] Azure Managed Identity from within a docker container running locally

问题描述

我正在运行一个由asp.net core 2.2 api组成的docker容器.此api需要访问Azure密钥保险库，并且我已经与一个在Key Vault上具有正确访问策略以检索机密的用户登录Visual Studio.但是，当我将Visual Studio工具用于docker调试容器时，这种特殊登录似乎并没有在本地运行的容器内部传播.但是当我在本地运行应用程序时(没有在docker容器中运行它)，asp net核心配置提供程序似乎接了我的Visual Studio登录名.关于此的任何指示都是有帮助的

I am running a docker container consisting of a asp.net core 2.2 api. This api needs access to Azure key vault and I have signed in into Visual studio with a user that has the right access policies on the Key Vault to retrieve secrets. However, when I use visual studio tools for docker to debug the container, this particular sign in does not seem to propogate inside the container running locally. But when i run the application locally(without running it in docker container) the asp net core configuration provider seems to pick up my visual studio login. Any pointers on this is helpful

推荐答案

我在Mac上使用docker和MSI遇到了同样的问题.我最终做了以下解决方法:

I had the same problem with docker and MSI on my mac. I ended up doing the following workaround:

首先从CLI获取访问令牌并将其设置为环境(并记住将其传递给docker)

First get an access token from CLI and set it to environment (and remember pass it to docker)

export ACCESS_TOKEN=$(az account get-access-token --resource=https://vault.azure.net | jq -r .accessToken)

在代码中，如果令牌在环境中，则将其拾取:

In the code, pick it up if token is in environment:

KeyVaultClient keyVaultClient;
var accessToken = Environment.GetEnvironmentVariable("ACCESS_TOKEN");
if (accessToken!=null)
{
   keyVaultClient = new KeyVaultClient(
       async (string a, string r, string s)=> accessToken);
}
else
{
   var azureServiceTokenProvider = new AzureServiceTokenProvider();
   keyVaultClient = new KeyVaultClient(
      new KeyVaultClient.AuthenticationCallback(
          azureServiceTokenProvider.KeyVaultTokenCallback));
}

这篇关于从本地运行的Docker容器中的Azure托管身份的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！