英文:
Azure Service authentication in Visual Studio 2022 works even after sign out
问题
我正在进行一个ASP.NET Core Web API项目。在这个项目中,我使用Azure.Security.KeyVault.Secrets的SecretClient类来从密钥保管库中获取秘密。
我能够在使用我的个人Microsoft帐户登录Visual Studio和未登录Visual Studio时从密钥保管库中获取秘密。我想知道SecretClient类是如何验证用户的?它如何能够获取Azure AD令牌,以便在不登录Visual Studio的情况下使用Azure密钥保管库进行身份验证以检索秘密?
以下是我在Program.cs(.NET 6)文件中用于注入SecretClient依赖项的代码:
using backendapp.Services.Contracts;
using backendapp.Services;
using Microsoft.Extensions.Azure;
using backendapp.Services.Repository;
namespace backendapp;
public class Program
{
public static void Main(string[] args)
{
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddAzureClients(azureClientFactoryBuilder =>
{
azureClientFactoryBuilder.AddSecretClient(builder.Configuration.GetSection("KeyVault"));
});
builder.Services.AddSingleton<IKeyVaultManager, KeyVaultManager>();
builder.Services.AddSingleton<IDocumentClientWrapper, DocumentClientWrapper>();
builder.Services.AddSingleton<IDbManager, DbManager>();
builder.Services.AddSingleton<IEmployeeRepository, EmployeeRepository>();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthorization();
app.MapControllers();
app.Run();
}
}
此外,在appsettings.json中,我有一个名为KeyVault的部分,其中只有一个VaultUri条目。
以下是我使用SecretClient类的KeyVaultManager类:
public class KeyVaultManager : IKeyVaultManager
{
private SecretClient _secretClient;
public KeyVaultManager(SecretClient secretClient)
{
_secretClient = secretClient;
}
public async Task<string> GetSecretAsync(string secretName)
{
try
{
KeyVaultSecret keyVaultSecret = await _secretClient.GetSecretAsync(secretName);
return keyVaultSecret.Value;
}
catch (Exception ex)
{
throw;
}
}
}
我想知道如何在未登录Visual Studio的情况下,我能够使用我的个人帐户从密钥保管库中获取秘密。
英文:
I'm working on an ASP.NET Core Web API project. In this project I'm using Azure.Security.KeyVault.Secrets's SecretClient class to fetch secrets from a key vault.
I'm able to fetch the secrets from key vault when I signed in into Visual Studio using my personal Microsoft account as well as without sign in into Visual Studio. I wanted to know how SecretClient class authenticates the user? How it is able to get Azure AD token to authenticate itself with Azure key vault to retrieve secret even without signing into Visual Studio?
Below is the code I have used in Program.cs (.NET 6) file to inject the SecretClient dependency:
using backendapp.Services.Contracts;
using backendapp.Services;
using Microsoft.Extensions.Azure;
using backendapp.Services.Repository;
namespace backendapp;
public class Program
{
public static void Main(string[] args)
{
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddAzureClients(azureClientFactoryBuilder =>
{
azureClientFactoryBuilder.AddSecretClient(builder.Configuration.GetSection("KeyVault"));
});
builder.Services.AddSingleton<IKeyVaultManager, KeyVaultManager>();
builder.Services.AddSingleton<IDocumentClientWrapper, DocumentClientWrapper>();
builder.Services.AddSingleton<IDbManager, DbManager>();
builder.Services.AddSingleton<IEmployeeRepository, EmployeeRepository>();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthorization();
app.MapControllers();
app.Run();
}
}
Also in appsettings.json, I have a section KeyVault which has just a VaultUri entry.
Below is my KeyVaultManager class which uses the SecretClient class
public class KeyVaultManager : IKeyVaultManager
{
private SecretClient _secretClient;
public KeyVaultManager(SecretClient secretClient)
{
_secretClient = secretClient;
}
public async Task<string> GetSecretAsync(string secretName)
{
try
{
KeyVaultSecret keyVaultSecret = await _secretClient.GetSecretAsync(secretName);
return keyVaultSecret.Value;
}
catch(Exception ex)
{
throw;
}
}
}
I wanted to know how I'm able to fetch secrets from keyvault under my personal account even without signing in to Visual Studio.
答案1
得分: 1
Azure身份验证使用各种方法对Azure服务进行身份验证,按照特定顺序尝试它们。
您可以查看AzureDefaultCredentials文档,了解不同的机制以及它们尝试的顺序。
很可能您仍然使用Azure Cli登录。
英文:
Azure authentication utilizes various methods to authenticate with Azure services, attempting them in a specific order.
You can check out the AzureDefaultCredentials documentation to see the different mechanisms and the sequence in which they are tried.
It is very likely that you are still logged in with Azure Cli.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论