Azure KeyVault范围有助于解决访问被拒绝的错误。

huangapple go评论72阅读模式
英文:

Azure KeyVault scopes help for access denied error

问题

我试图使用以下代码片段访问Azure KeyVault。我已检查Web应用程序具有所需的所有权限,特别是在密钥保管库的访问策略下为Web应用程序添加了所有加密权限。

该应用程序是在本地Docker中运行的.NET 6 Web API,因此大多数教程中的安全选项都不可行。

我已经使用硬编码的访问令牌使其工作,因此我相信我的密钥名称、密钥版本和URI等信息都是正确的。

但当切换到使用客户端ID和秘密时,我却收到了拒绝访问的错误。

我对作用域不太确定。我尝试了在线找到的选项,如密钥保管库URI,尝试了密钥保管库属性页面上的值以及一般密钥保管库作用域,但迄今为止都没有成功。

我应该请求什么作用域?是否有一个良好的文档页面可以帮助解决这个问题?我迄今尝试过的那些文档都没有提供太多帮助。

英文:

I'm trying to access Azure KeyVault using the code snippets below. I've checked that the web app has all the permissions needed, like specifically adding all the cryptographic permissions for the web app under access policies for the key vault.

The application is a .Net 6 Web API running locally within docker, so most of the security options in the tutorials haven't been possible.

I have had it working using a hard coded access token so I am confident things like my key name, key version and uri are correct.

When switching to use a client id and secret I instead get an access denied error.

What I'm less sure about is the scopes. I've tried options I've found online like the key vault uri, trying the values on the properties page of the key vault and the general key vault scope but not had any success so far.

What scope am I supposed to be requesting here and is there a good documentation page to help with this? The ones I've tried so far haven't been very helpful.

var app = ConfidentialClientApplicationBuilder.Create(_clientId)
    .WithClientSecret(_clientSecret)
    .WithAuthority(authority)
    .Build();

var authResult = app.AcquireTokenForClient(new[] { $"{kvUri}/.default" }).ExecuteAsync().GetAwaiter().GetResult();
var accessToken = authResult.AccessToken;
_keyVaultClient = new KeyVaultClient(
            async (string a, string r, string s) => accessToken);

var refreshTokenResult = await _keyVaultClient.DecryptAsync(kvUri, "mykeyname", keyVersion, "RSA-OAEP", settings.RefreshTokenBinary);

答案1

得分: 1

来自 @juunas 的评论:

范围应该是 https://vault.azure.net/.default

这解决了问题。

英文:

From @juunas comment:

The scope should be https://vault.azure.net/.default

This solved the issue.

huangapple
  • 本文由 发表于 2023年3月12日 17:18:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/75712129.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定