Azure – 是否可以在企业应用程序中设置环境变量?

huangapple go评论75阅读模式
英文:

Azure - Is it possible to setup environment variables with Enterprise Applications?

问题

在我们的项目中,我们不使用应用程序注册,而是在Azure中使用企业应用程序。

我正在尝试在本地开发(.NET Core)中访问Azure Key Vault中的秘密,这需要DefaultAzureCredential,它又使用环境变量,即AZURE_CLIENT_IDAZURE_CLIENT_SECRET/AZURE_CLIENT_CERTIFICATE_PATHAZURE_TENANT_IDAZURE_CLIENT_SECRET 只存在于应用程序注册中。

是否有可能在企业应用程序中设置环境变量?

如果不行,是否有办法在.NET Core中访问Azure Key Vault中的秘密?

英文:

In our project, we do not use App Registrations, instead we use Enterprise applications in Azure.

I am trying to access a secret from Azure Key Vault in local development(.NET Core), which requires DefaultAzureCredential which in turn uses environment variables namely AZURE_CLIENT_ID, AZURE_CLIENT_SECRET/AZURE_CLIENT_CERTIFICATE_PATH, and AZURE_TENANT_ID. AZURE_CLIENT_SECRET is present in App Registration only.

Is it possible to setup environment variables with Enterprise Applications?

If not, is there any way to access the secret in Azure Key Vault using .NET Core?

答案1

得分: 1

When we want to access Azure KeyVault secret, we have to grant access policy. And we can grant access policy for Azure AD applications, specific User/Group, and ManagedIdentity instance generally.

当我们想要访问 Azure KeyVault 密钥时,我们必须授予访问策略。通常我们可以为 Azure AD 应用程序、特定用户/组和 ManagedIdentity 实例授予访问策略。

When we want to use DefauleAzureCredential, we have the option to set client id/client secret/tenant id for an Azure AD app, since you don't have the client secret, maybe this is not available for you. Then we can also use user credential, I think it's good for us to use this when we test the code in a local machine, only we need to do is adding access policy for a user, then sign in Visual Studio with that user, then we can simply get authorized to access the vault secret by code below:

当我们想要使用 DefauleAzureCredential 时,我们可以为 Azure AD 应用程序设置 client id/client secret/tenant id,由于您没有客户端密钥,可能这对您不可用。然后,我们还可以使用用户凭据,我认为在本地测试代码时使用这个是很好的,我们只需要为一个用户 添加访问策略,然后 使用该用户登录 Visual Studio,然后我们可以通过下面的代码简单地获得授权来访问保险库的秘密:

public async Task<string> IndexAsync()
{
    const string secretName = "clientsecret";
    var kvUri = "https://keyvaultname.vault.azure.net/";
    var a = new DefaultAzureCredential();
    var client = new SecretClient(new Uri(kvUri), a);
    var secret = await client.GetSecretAsync(secretName);
    string secretValue = secret.Value.Value;
    return secretValue;
}

我们还可以使用 ManagedIdentity,但这需要将应用程序托管在 Azure 中。只需按照此官方文档进行操作。文档中还包含一个示例。

我们还可以使用 ManagedIdentity,但这需要将应用程序托管在 Azure 中。只需按照此官方文档进行操作。文档中还包含一个示例。

builder.Configuration.AddAzureKeyVault(
   new Uri("https://vaultName.vault.azure.net/"),
   new DefaultAzureCredential(
       new DefaultAzureCredentialOptions { ManagedIdentityClientId = "userManagedIdentityClientId" } // 在使用用户 ManagedIdentity 时需要
   ));
英文:

Anyway, when we want to access Azure KeyVault secret, we have to grant access policy. And we can grant access policy for Azure AD applications, specific User/Group, and ManagedIdentity instance generally.

When we want to use DefauleAzureCredential, we have the option to set client id/client secret/tenant id for an Azure AD app, since you don't have the client secret, maybe this is not available for you. Then we can also use user credential, I think it's good for us to use this when we test the code in local machine, only we need to do is adding access policy for a user, then sign in Visual Studio with that user, then we can simply get authorized to access the vault secret by code below:

public async Task&lt;string&gt; IndexAsync()
        {
            const string secretName = &quot;clientsecret&quot;;
            var kvUri = &quot;https://keyvaultname.vault.azure.net/&quot;;
            var a = new DefaultAzureCredential();
            var client = new SecretClient(new Uri(kvUri), a);
            var secret = await client.GetSecretAsync(secretName);
            string secretVaule = secret.Value.Value;
            return secretVaule ;
        }

Azure – 是否可以在企业应用程序中设置环境变量?

We can also use ManagedIdentity, but this requires the app to be host in Azure. Just following this official document. It also contains a sample inside the document.

builder.Configuration.AddAzureKeyVault(
       new Uri(&quot;https://vaultName.vault.azure.net/&quot;),
       new DefaultAzureCredential(
           new DefaultAzureCredentialOptions { ManagedIdentityClientId = &quot;userManagedIdentityClientId&quot; }//required when using user ManagedIdentity
       ));

huangapple
  • 本文由 发表于 2023年5月18日 01:19:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/76274668.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定