使用.Net Core 2.1创建Azure密钥保管库

编程问答 2022-08-16

问题描述

我正在尝试使用带有OpenIdConnect的.net core 2.1创建一个Azure密钥库。

我尝试过的方法:-
我试图参考以下已对堆栈溢出的问题进行解答

  1. Creating Azure Key Vault using .NET assembly (Microsoft.Azure.KeyVault)
  2. Azure Key Vault - programmatic creation

和其他

Nuget软件包:-Microsoft.Azure.Management.keyvault

代码:- 

private async Task AddkeyvaultAsync()
    {
        var clientId = "xxxx"; 
        var tenantId = "xxxx";
        var clientSecret = "xxxx";
        var objectId = "xxxx";
        var subscriptionId = "xxx";

        // The resource group to create the vault in.
        string resourceGroupName = "Vaults-Resource-Group";
        // The name of the vault to create.
        string vaultName = "web-app-01-vault";
        var parameters = new VaultCreateOrUpdateParameters()
        {
            Location = "southeast asia",Properties = new VaultProperties()
            {
                TenantId = Guid.Parse(tenantId),Accesspolicies = new List<AccesspolicyEntry>()
                {
                    new AccesspolicyEntry
                    {
                        TenantId = Guid.Parse(tenantId),ObjectId = objectId,Permissions = new Permissions
                            {
                              Secrets = new List<string> { "all" },Keys = new string[] { "all" }
                            }
                    }
                }       
            }
        };

        //problem in following line
        var tokenCredentials = new TokenCloudCredentials(subscriptionId,token);

        var keyvaultManagementClient = new keyvaultManagementClient(tokenCredentials);
        // Create the vault
       await keyvaultManagementClient.Vaults.CreateOrUpdateAsync(resourceGroupName,vaultName,parameters);

    }

但是我被困在

 //problem in the following line
        var tokenCredentials = new TokenCloudCredentials(subscriptionId,token);

如何创建令牌(TokenCloudCredentials中的参数)和TokenCloudCredentials? 我应该使用哪个Nuget程序包来创建TokenCloudCredentials?

我也尝试使用:-

IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
        .Create(clientId)
        .WithTenantId(tenantId)
        .WithClientSecret(clientSecret)
        .Build();

创建keyvaultManagementClient。但我不确定该怎么办?

还有其他(更好)的方式来创建keyvaultManagementClient吗?

解决方法

代码显示了如何使用客户端凭据流获取访问令牌。

var app = ConfidentialClientApplicationBuilder.Create(config.ClientId)
           .WithAuthority(AzureCloudInstance.AzurePublic,"{tenantID}")
           .WithClientSecret(config.ClientSecret)
           .Build();

string[] scopes = new string[] { "https://graph.microsoft.com/.default" };

var result = await app.AcquireTokenForClient(scopes).ExecuteAsync();

var token = result.accessToken;

有关更多详细信息,请参见here

更新

使用.net core 2.1创建密钥库的sample

,

  • 在从代码访问 Key Vault 之前,请确保在 Azure 中配置了 MSI(托管服务标识)

  • 要启用 Azure Key Vault,您需要在下面安装 包。

PM> Install-Package Azure.Security.KeyVault.Secrets
PM> Install-Package Microsoft.Extensions.Configuration.AzureKeyVault
PM> Install-Package Azure.Identity
PM> Install-Package Azure.Extensions.AspNetCore.Configuration.Secrets
  • 在 Program.cs 中启用应用配置 — 更新 CreateWebHostBuilder 方法通过调用 config.AddAzureAppConfiguration() 方法。
#region Imports
using Microsoft.AspNetCore.Hosting;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Configuration.AzureKeyVault;
using Microsoft.Extensions.Hosting;
#endregion

namespace AzureKeyVaultLabs.Web
{
    public class Program
    {
        public static void Main(string[] args)
        {
            CreateHostBuilder(args).Build().Run();
        }

        public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureAppConfiguration((context,config) =>
                {
                    var settings = config.Build();

                    if (!context.HostingEnvironment.IsDevelopment())
                    {
                        var keyVaultEndpoint = settings["AzureKeyVaultEndpoint"];

                        if (!string.IsNullOrEmpty(keyVaultEndpoint))
                        {
                            var azureServiceTokenProvider = new AzureServiceTokenProvider();
                            var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
                            config.AddAzureKeyVault(keyVaultEndpoint,keyVaultClient,new DefaultKeyVaultSecretManager());
                        }
                    }
           }
      }
  • 对于 Azure 函数应用
public class Startup : FunctionsStartup
    {
        public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
        {
            if (builder != null)
            {
                //give your app configuration store endpoint
                string connectionString = Environment.GetEnvironmentVariable("AppConfigurationConnectionString");
                if (!string.IsNullOrEmpty(connectionString))
                {
                    builder.ConfigurationBuilder.AddAzureAppConfiguration(connectionString);
                }

                var settings = builder.ConfigurationBuilder.Build();
                var keyVaultEndpoint = settings["VaultName"];// Add key vault name in configuration
                if (!string.IsNullOrEmpty(keyVaultEndpoint))
                {
                    builder.ConfigurationBuilder
                        .SetBasePath(Environment.CurrentDirectory)
                        .AddAzureKeyVault(new Uri(keyVaultEndpoint),new DefaultAzureCredential())
                        .AddEnvironmentVariables()
                    .Build();
                }
            }
        }
azureazureazure-keyvaultc#c#