从Azure Function配置中删除机密 [英] Removing Secrets from Azure Function Config
问题描述
像开头的大多数Azure函数一样,我们有一个关联字符串到关联的存储帐户,其中包括这样的Accountkey
Like most Azure Functions in the beginning we have a connection string to the associated storageaccount that includes the Accountkey like this
DefaultEndpointsProtocol=https;AccountName=ourstorageAccount;EndpointSuffix=core.windows.net;AccountKey=WQfbn+VBhaY1fi/l0eRBzvAvngiCiOwPmx/==
我们显然想删除该AccountKey.我曾希望我们可以使用ManagedIdentity和贡献者"角色,但是我读到的内容是,您不能使用托管身份访问仅存储帐户 Blobs 中的表.
We obviously want to remove that AccountKey. I had hoped we could use ManagedIdentity and the 'Contributor' Role but what I am reading is telling me you cannot use Managed Identity to access Tables in a Storage Account only Blobs.
我知道我们可以将整个连接字符串移动到KeyVault,但是如果我们要旋转密钥,这将成为Azure管理问题.
I know that we could move the whole connection string to KeyVault but that just becomes ann Azure Management Issue if we want to rotate the keys.
任何人都可以通过托管身份成功控制对Azure表存储的访问吗?
Has anyone succesfully controlled access to Azure Table Storage with Managed Identities?
如果不是,最好的方法是允许简单地旋转键呢?
If not what is the next best approach that preferably allows for simple rotation of keys?
推荐答案
有人通过托管身份成功控制了对Azure表存储的访问吗?
Has anyone successfully controlled access to Azure Table Storage with Managed Identities?
绝对无法使用MSI(托管身份,本质上是azure广告中的服务主体)访问azure表存储,当使用MSI访问某些azure资源时,它实质上使用
Definitely it is unable to access azure table storage with MSI(managed identity, essentially it is a service principal in azure ad), when using MSI to access some azure resources, it essentially uses the azure ad client credential flow to get the token, then uses the token to access the resource.
但是,azure blob和队列存储仅支持azure广告身份验证,表存储当前不支持它,请参阅-
However, azure ad auth just supported by azure blob and queue storage, table storage doesn't support it currently, see - Authorize access to blobs and queues using Azure Active Directory.
如果不是,最好的方法是允许简单地旋转键呢?
If not what is the next best approach that preferably allows for simple rotation of keys?
You could use azure function to do that, follow this doc - Automate the rotation of a secret for resources with two sets of authentication credentials, I think it completely meets your requirement, this tutorial rotates Azure Storage account keys stored in Azure Key Vault as secrets using a function triggered by Azure Event Grid notification.
这篇关于从Azure Function配置中删除机密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
