如何从AppService访问已禁用公共访问的Azure密钥保管库?

huangapple go评论105阅读模式
英文:

How to access Azure Key Vault with disabled public access from AppService?

问题

我正在尝试从AppService访问存储在Azure Key Vault中的密钥。

  1. 我已禁用了Vault的公共访问。
  2. 我已为我的Azure App Service启用了托管标识。
  3. 我已授予该托管标识对Key Vault的访问权限。
  4. 我已在Key Vault的“防火墙和虚拟网络”选项卡中选中了“允许信任的Microsoft服务绕过此防火墙”。

AppService和Vault都位于同一订阅、同一地区等。

我希望这些步骤(特别是#4)足以获取密钥,但我收到异常消息

"ArgumentException: Keyword not supported: '@microsoft.keyvault(secreturi)'."

是否有一种方法可以在不涉及私有网络/端点等的情况下从Azure Key Vault(已禁用公共访问)中获取密钥?

谢谢!

英文:

I am trying to access key that is stored in Azure Key Vault from AppService.

  1. I have disabled Vault public access.
  2. I have enabled Managed Identity for my Azure App Service.
  3. I have granted that Managed Identity access to the Key Vault.
  4. I have checked 'Allow trusted Microsoft services to bypass this firewall' in the 'Firewalls and virtual networks' tab in Key Vault

Both AppService and Vault are located under one subscription, one region, etc.

I was hoping that these steps(especially #4) will be sufficient to get the key, but I get the exception

"ArgumentException: Keyword not supported: '@microsoft.keyvault(secreturi'."

Is there a way how to get the key from the Azure Key Vault(with disabled public access) from AppService without getting into private networks/endpoints, etc?

Thanks!

答案1

得分: 1

正如您所提到的,

  • 即使我已禁用了密钥保管库的公共访问。
    如何从AppService访问已禁用公共访问的Azure密钥保管库?

  • 启用了托管标识并授予了“托管标识”对密钥保管库的访问权限。

最初,当我尝试在本地从密钥保管库获取密码时,我收到了以下错误。

如何从AppService访问已禁用公共访问的Azure密钥保管库?

据我所知,'@microsoft.keyvault(secreturi'.") 仅在已部署的 Azure App Service => Configuration 中起作用。

请查看以下解决方法以通过在配置部分添加KeyVault引用来检索密钥保管库中的密钥。

在App Service中,选择用户创建托管标识
我的 appsettings.json 文件:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "KeyVaultName": "harshukv18july",
  "SecretKV": "DummyValue"
}

Program.cs 文件:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var builder = WebApplication.CreateBuilder(args);

builder.Configuration.AddAzureKeyVault(
      new Uri($"https://{builder.Configuration["KeyVaultName"]}.vault.azure.net/"),
      new DefaultAzureCredential());

部署应用程序后,使用与 appsettings.json 中相同名称的新 Application Setting 添加(秘密名称 - SecretKV)。

如何从AppService访问已禁用公共访问的Azure密钥保管库?

在这里,我的秘密名称是 SecretKV,因此在 Azure App Service 中添加了相同的应用程序设置。

使用以下代码从 .NET Core 中检索 Azure KeyVault 中的密钥。

.csproj 文件:

 <ItemGroup>
    <PackageReference Include="Azure.Identity" Version="1.9.0" />
    <PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.2.2" />
    <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.5.0" />
  </ItemGroup>

.cshtml 中,添加以下行以显示密钥。

<h2>Secret with KeyVault Reference - @myconfig["SecretKV"]</h2>

仅在启用了 Public Access 或创建了 Private endpoint 的情况下,上述配置才有效。

另一个选项是选择以下内容。

  • 您需要为指定的用户添加 Virtual NetworkClient IP

如何从AppService访问已禁用公共访问的Azure密钥保管库?

要在本地获取密钥,请参阅此 SOThread,当启用了对密钥保管库的 public access 时。

英文:

As you have mentioned,

  • Even I have disabled the Key Vault public access.
    如何从AppService访问已禁用公共访问的Azure密钥保管库?

  • Enabled Managed Identity and also granted Managed Identity access to the Key Vault.

Initially I got the below error, when I tried to fetch the Secrets from Key Vault locally.

如何从AppService访问已禁用公共访问的Azure密钥保管库?

AFAIK,
&#39;@microsoft.keyvault(secreturi&#39;.&quot;
)
works only in the deployed Azure App Service => Configuration.

Check the below workaround to retrieve the Secret from KeyVault by adding the KeyVault Reference in Configuration Section.

In App Service, select the User Create a Managed Identity
My appsettings.json file:

{
  &quot;Logging&quot;: {
    &quot;LogLevel&quot;: {
      &quot;Default&quot;: &quot;Information&quot;,
      &quot;Microsoft.AspNetCore&quot;: &quot;Warning&quot;
    }
  },
  &quot;AllowedHosts&quot;: &quot;*&quot;, 
  &quot;KeyVaultName&quot;: &quot;harshukv18july&quot;,
  &quot;SecretKV&quot;: &quot;DummyValue&quot;

}

Program.cs file:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var builder = WebApplication.CreateBuilder(args);

builder.Configuration.AddAzureKeyVault(
      new Uri($&quot;https://{builder.Configuration[&quot;KeyVaultName&quot;]}.vault.azure.net/&quot;),
      new DefaultAzureCredential());

After deploying the App, add the new Application Setting with the same name as in appsettings.json (secret name - SecretKV).

如何从AppService访问已禁用公共访问的Azure密钥保管库?

Here my secret name is SecretKV, so added the same Application Setting in Azure App Service.

Use the below code to fetch the secret value from Azure KeyVault in .NET Core.

.csproj file:

 &lt;ItemGroup&gt;
    &lt;PackageReference Include=&quot;Azure.Identity&quot; Version=&quot;1.9.0&quot; /&gt;
    &lt;PackageReference Include=&quot;Azure.Extensions.AspNetCore.Configuration.Secrets&quot; Version=&quot;1.2.2&quot; /&gt;
    &lt;PackageReference Include=&quot;Azure.Security.KeyVault.Secrets&quot; Version=&quot;4.5.0&quot; /&gt;
  &lt;/ItemGroup&gt;

In .cshtml, add the below line to dispaly the secret.

&lt;h2&gt;Secret with KeyVault Reference - @myconfig[&quot;SecretKV&quot;]&lt;/h2&gt;

The above configuration works only when deployed in App Service by enabling Public Access or by creating the Private endpoint.

Another option can be by selecting the below.

  • You need to add the Virtual Network and Client IP for the specified users.

如何从AppService访问已禁用公共访问的Azure密钥保管库?

To get the Secret locally refer this SOThread, when public access to the KeyVault is enabled.

huangapple
  • 本文由 发表于 2023年7月13日 22:53:40
  • 转载请务必保留本文链接:https://go.coder-hub.com/76680786.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定