问题描述
我想使用 Azure Key Vault Provider 来填充我的应用程序的配置。将 Microsoft.Azure.Functions.Extensions 1.1.0 与 Azure.Extensions.AspNetCore.Configuration.Secrets 结合使用,我的代码如下所示:
local.settings.json
{
"IsEncrypted": false,"Values": {
"keyvaultUri": "https://meh.vault.azure.net/","TEST:SuperSecret": "secret-name-of-key-vault-entry"
}
}
Startup.cs
[assembly: Functionsstartup(typeof(Startup))]
namespace myNamespace
{
public class Startup : Functionsstartup
{
public override void Configure(IFunctionsHostBuilder builder)
{
builder.Services.AddOptions<AppSettingsSecrets>()
.Configure<IConfiguration>((cfgSection,cfg) => cfg.GetSection("TEST").Bind(cfgSection));
}
public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
{
var builtConfig = builder.ConfigurationBuilder.Build();
var kvendpoint = builtConfig["keyvaultUri"];
var cred = new ChainedTokenCredential(new ManagedIdentityCredential(),new AzureCliCredential());
var opt = new AzurekeyvaultConfigurationoptions { ReloadInterval = TimeSpan.FromHours(24)};
builder.ConfigurationBuilder
.AddAzurekeyvault(new Uri(kvendpoint),cred,opt)
.SetBasePath(Environment.CurrentDirectory)
.AddJsonFile("local.settings.json",optional: true)
.AddEnvironmentvariables()
.Build();
}
}
}
Functions.cs
namespace myNamespace
{
public class SEC
{
private readonly IOptions<AppSettingsSecrets> _s;
public SEC(IOptions<AppSettingsSecrets> s) => _s = s;
[FunctionName(nameof(SEC))]
public async Task<IActionResult> Run([HttpTrigger(AuthorizationLevel.Function,"get",Route = "sec")] HttpRequest req,ILogger log)
{
log.Loginformation(_s.Value.SuperSecret);
return new OkObjectResult(true);
}
}
}
现在当我调用
iwr http://localhost:7071/api/sec
将记录的是秘密名称 secret-name-of-key-vault-entry
的文字值。不是密钥保管库中的机密值。
这绝对不是访问策略的问题,因为之前我使用相同的用户主体从同一个保管库中手动查询机密。
我错过了什么?任何帮助表示赞赏。
解决方法
我在 YouTube 上找到了一个可行的解决方案。在这里发帖,也许其他人可能会从中受益。
local.settings.json:此处不存在秘密配置值
{
"IsEncrypted": false,"Values": {
"KeyVaultUri": "https://meh.vault.azure.net/",},"Settings": {
"IsProd": false
}
}
AppSettings.cs
namespace myNamespace
{
public class AppSettings
{
public bool IsProd {get; set;}
public string GraphCredential {get; set;} = string.Empty;
}
}
然后在 Key Vault 本身中,注册一个名为 Settings--GraphCredential
的机密(两个破折号!)
namespace myNamespace
{
public class Startup : FunctionsStartup
{
public override void Configure(IFunctionsHostBuilder builder)
{
builder.Services.AddOptions<AppSettings>()
.Configure<IConfiguration>((cfgSection,cfg) => cfg.GetSection("Settings").Bind(cfgSection));
}
public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
{
var builtConfig = builder.ConfigurationBuilder.Build();
var kvEndpoint = builtConfig["KeyVaultUri"];
var cred = new ChainedTokenCredential(new ManagedIdentityCredential(),new AzureCliCredential());
var opt = new AzureKeyVaultConfigurationOptions { ReloadInterval = TimeSpan.FromHours(24)};
builder.ConfigurationBuilder
.AddAzureKeyVault(new Uri(kvEndpoint),cred,opt)
.SetBasePath(Environment.CurrentDirectory)
.AddJsonFile("local.settings.json",optional: true)
.AddEnvironmentVariables()
.Build();
}
}
}