英文:
How does an app recognize secrets in a key vault using the same syntax as locally?
问题
我正在使用 dotnet user-secrets init/set 命令来管理密钥(如此处所述)。现在,因为我将要部署到Azure,我想使用密钥保管库(如此处所述)通过 az keyvault create/set 命令进行配置。
自然地,我希望在本地设置的秘密,如以下方式创建:
dotnet user-secrets set "Foot:Left" "Stinks"
dotnet user-secrets set "Foot:Right" "Stinks2"
在Azure中取得与以下设置的值:
az keyvault secret set --vault-name "kv-shhh" --name "Foot--Left" --value "Stinks"
az keyvault secret set --vault-name "kv-shhh" --name "Foot--Right" --value "Stinks2"
我在文档中找不到的信息是代码将如何知道要使用哪个密钥保管库。在我的情况下,我只有一个,即 kv-hush-hush,但可能在另一个资源组中有其他密钥保管库。实际上,它们可能是我资源组中的密钥保管库。
一位同事建议策略可能是仅从应用程序所在的资源组中选择秘密(如果有多个,这些值可能会以某种方式相互影响)。然而,在寻找有关该理论的任何确认或否定时,我们一无所获。
我如何告诉应用程序在从云端提供时使用密钥保管库中的值?
我看到了像这样的解决方案,但这依赖于密钥保管库同时用于本地开发和托管的生产环境。我更倾向于在我的设备上保留我的密钥,以便不依赖于互联网连接。
编辑
根据评论和AddAzureKeyVault(...)的文档,我将以下示例添加到了我的 Program.cs 文件中。
string vaultName = "kv-name-on-my-vault";
string vaultUri = $"https://{vaultName}.vault.azure.net/";
builder.Configuration.AddAzureKeyVault(
new Uri(vaultUri),
new DefaultAzureCredential());
然而,我相当确定它不会让我获取密钥。否则,拥有 vaultName 的任何人都能够获取。我漏掉了什么?
我感觉到这由密钥保管库属性中的 访问策略 部分控制。然而,我对如何告诉保管库我的应用程序(或者可能是其资源组中的任何应用程序)可以信任以读取保管库感到不确定。此外,我完全不知道如何解释我的本地应用程序应该被允许进入保管库。
我怀疑文档中涵盖了这一点,但由于对Azure密钥保管库的经验不足,我没有看到它。
英文:
I'm managing secrets by dotnet user-secrets init/set command (as documented here). Now, as I'll be deploying to Azure, I want to use the key vault (as documented here) configured by az keyvault create/set.
Naturally, what I want is that the locally set secret created like this:
dotnet user-secrets set "Foot:Left" "Stinks"
dotnet user-secrets set "Foot:Right" "Stinks2"
will in Azure pick the values set by the following:
az keyvault secret set --vault-name "kv-shhh" --name "Foot--Left" --value "Stinks"
az keyvault secret set --vault-name "kv-shhh" --name "Foot--Right" --value "Stinks2"
What I can't see in the docs is the infromation on how the code will know which key vault to use. In my case, I only have a single one, the kv-hush-hush but there might be other key vaults in another resource groups. They may in fact, be key vaults in my resource group.
A colleague suggested that the strategy may be to only pick secrets from within the resource group the application is served from (and if there are multiple ones, they values would impose onto each other somehow). However, looking for any confirmation or refutal of that theory, we found nothing.
How do I tell the application to use the values from the key vault once I serve it from the cloud?
I've seen solutions like this one but that's relying on the key vault for both local development and hosted production. I'd prefer to have my secrets on my machine so I don't rely on the internet connection.
edit
Based on the comments and docs for AddAzureKeyVault(...), I added the following sample to my Program.cs.
string vaultName = "kv-name-on-my-vault";
string vaultUri = $"https://{vaultName}.vault.azure.net/";
builder.Configuration.AddAzureKeyVault(
new Uri(vaultUri),
new DefaultAzureCredential());
However, I'm pretty certain that it won't let me get the keys. Otherwise, anybody with the valutName would be able to. What am I missing?
I'm sensing that it's controlled by the Access policies section in the properties of the key vault. However, I feel unsure how to explain to the vault that my application (or, possibly, any application in its resource group) is trusted to read the vault. Also, I feel totally lost how I'd explain than my local application should be let into the vault.
I suspect that the docs cover that but I'm not seeing it due to lack of experience with the Azure key vaults.
答案1
得分: 1
如下图所示,您可以向您的ASP.NET应用程序添加许多配置来源,当您添加AKV时,它将添加到此配置设置中。在这种情况下,基于AKV的配置将在命令行参数之后被强制执行(最后添加的原则最为重要)。
关于安全性,默认情况下,它使用DefaultAzureCredential类获取您的Azure凭据,并在您的计算机周围查找您的Azure凭据,并将其用于允许您访问AKV。
只有具有正确凭据的用户才能访问它。
如果启用,则DefaultAzureCredential将按以下顺序搜索这些来源:
- EnvironmentCredential
- WorkloadIdentityCredential
- ManagedIdentityCredential
- AzureDeveloperCliCredential
- SharedTokenCacheCredential
- VisualStudioCredential
- VisualStudioCodeCredential
- AzureCliCredential
- AzurePowerShellCredential
- InteractiveBrowserCredential
英文:
As the image below shows, you can add many configuration sources to your ASP.NET Application, and when you add AKV, it is added to this configuration setup. In this case, the AKV based configuration will be imposed at the end, after command line arguments (the principle of latest addition being most significant).
Regarding security, by default, it gets your Azure credentials using the DefaultAzureCredential Class, and it will look around your machine for your Azure Credentials and uses it to allow you access to AKV.
Only users with the correct credentials can access it.
If enabled, then
DefaultAzureCredential will search these sources (in order):
- EnvironmentCredential
- WorkloadIdentityCredential
- ManagedIdentityCredential
- AzureDeveloperCliCredential
- SharedTokenCacheCredential
- VisualStudioCredential
- VisualStudioCodeCredential
- AzureCliCredential
- AzurePowerShellCredential
- InteractiveBrowserCredential
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论