如何通过托管在Azure虚拟机中的.Net Core Web API访问Azure Key Vault的秘密。

huangapple go评论71阅读模式
英文:

How to access Azure Key Vault secrets through .Net Core Web API which is hosted in Azure Virtual Machine

问题

我对Azure Ad相当新,希望能得到您的帮助。我有一个.Net核心Web API,并且在Azure密钥保管库中创建了两个密钥。我能够在本地环境中通过API访问这些密钥,就像这样(使用Visual Studio Azure服务身份验证)。

{
    private keyVaultURL = new Uri(configuration.GetValue<string>("KeyVault:URL"));
    private DefaultAzureCredential clientCredential = new DefaultAzureCredential();

    var secretClient = new SecretClient(keyVaultURL, clientCredential);
    var secret1 = secretClient.GetSecret("secret-1");
    var secret2 = secretClient.GetSecret("secret-2");
}

现在,我已经在Azure虚拟机上托管了.Net核心Web API(生产环境 - Ubuntu),并且我希望像以前一样访问这些密钥(使用密钥保管库)。但是上面的方法不起作用,API服务失败并引发异常。我认为这是因为服务器不知道如何与Azure进行身份验证。

  1. Azure.Identity.CredentialUnavailableException:找不到存储的凭据。需要在VSCode Azure帐户中进行用户身份验证。
  2. Azure.Identity.CredentialUnavailableException:未安装Azure CLI
  3. Azure.Identity.CredentialUnavailableException:未安装PowerShell。

因此,请建议我在生产环境中以更干净的步骤实现此任务(因为我对Azure没有深刻的了解)。请注意,我不能在appsettings文件中保留和使用TenantId、ClientId和ClientSecrets。

谢谢。

英文:

I am pretty new to Azure Ad and expecting your help with this. I have a .Net core web API and I have created two secrets in Azure key vault. I am able to access these secrets through API in local environment like this (with visual studio Azure service authentication).

    {
        private keyVaultURL = new Uri(configuration.GetValue<string>("KeyVault:URL"));
        private DefaultAzureCredential clientCredential = new DefaultAzureCredential();

        var secretClient = new SecretClient(keyVaultURL, clientCredential);
        var secret1 = secretClient.GetSecret("secret-1");
        var secret2 = secretClient.GetSecret("secret-2");
    }

Now I have hosted .Net core web API on Azure Virtual Machine (Production Environment-Ubuntu) and I want to access the secrets same as before (using Key Vault). But the above method does not working and API service is failed and throws exceptions. Think its because server does not know how to authenticate with Azure.

  1. Azure.Identity.CredentialUnavailableException: Stored credentials not found. Need to authenticate user in VSCode Azure Account.
  2. Azure.Identity.CredentialUnavailableException: Azure CLI not installed
  3. Azure.Identity.CredentialUnavailableException: PowerShell is not installed.

So, Please suggest me the correct way with cleaner steps (since I don't have deep understanding of Azure) to achieve this task in production environment. Please note that I can not keep and use TenantId, ClientId and ClientSecrets in appsettings file.

Thank you.

答案1

得分: 4

我们可以使用 DefaultAzureCredential 来进行身份验证并访问 Azure 密钥保管库中的秘密,但 DefaultAzureCredential 会尝试通过多种机制进行身份验证。这就是为什么您的代码在 Visual Studio 中运行良好,但在发布到 VM 后无法正常工作的原因。

您可以检查 Azure 密钥保管库中设置的访问策略,例如,您是否允许您的用户帐户访问此密钥保管库,并且您是否在 Visual Studio 中使用此帐户登录,然后通过此 Visual Studio 运行的应用程序代表您访问密钥保管库的秘密。在发布到 Azure VM 后,我认为您可以尝试通过在服务器中设置环境变量来使用 Environment 身份验证。如果选择这种方式,您需要 创建一个 Azure AD 应用程序,只需创建一个应用程序,然后创建一个 客户端密钥。然后在密钥保管库的访问策略中 添加此应用程序。然后在您的 VM 中,设置环境变量 AZURE_CLIENT_ID AZURE_TENANT_ID AZURE_CLIENT_SECRET,这些值可以在 Azure AD 中获取(客户端 ID 和租户 ID 可以在 Overview 标签页中获取)。

您还可以像 Hank 提到的那样使用托管标识,因此我们需要 为 Azure VM 启用托管标识,然后在 Azure 密钥保管库中为此 Azure VM 资源 添加访问策略。在这种情况下,您不需要创建 Azure AD 应用程序,只需在启用托管标识后将此 Azure VM 添加到访问策略列表中。

如果您不希望允许 VM 访问密钥保管库中的秘密,那么您可以使用 DefaultAzureCredential 文档中提到的其他身份验证机制。

英文:

We can use DefaultAzureCredential to pass the authentication and access the Azure key vault secrets, but DefaultAzureCredential attempts to authenticate via multiple mechanisms. And this is the reason why your code worked well in VS but not work after publishing to VM.

如何通过托管在Azure虚拟机中的.Net Core Web API访问Azure Key Vault的秘密。

You can check the access policy you set in Azure Key vault, for example, you allowed your user account to access this key vault, and you use this account sign in Visual Studio, then the app you run via this Visual studio on behalf you to access key vault secret. After you publish to Azure VM, I think you can try to use Environment authentication by setting environment variable in your server. If you choose this way, you need to create an Azure AD application,just create an application, and create a client secret. Then add this application in the key vault access policy. Then in your VM, set environment variables AZURE_CLIENT_ID AZURE_TENANT_ID AZURE_CLIENT_SECRET, value can get in Azure AD(client id and tenant id can get in Overview blade).

You can also use managed identity like Hank said, so we need to enable managed identity for the Azure VM, then add access policy in Azure key vault for this Azure VM resource. In this scenario, you don't need to create an Azure AD app, you can just add this Azure VM to the access policy list after enabling managed identity.

If you don't want to allow the VM to access key vault secret, then you can use the other mechanisms mentioned in DefaultAzureCredential document to authenticate for your key vault.

答案2

得分: 1

你应该使用分配给虚拟机的托管标识来访问密钥保管库。
有很多教程可以带你一步一步进行操作。

一个例子:https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app

英文:

You should use a managed identity assigned to the VM to access the key vault.
There are many tutorials that will take you step-by-step.

One example: https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app

huangapple
  • 本文由 发表于 2023年4月7日 02:35:06
  • 转载请务必保留本文链接:https://go.coder-hub.com/75952710.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定