如何在节点中使用 Azure 托管服务标识访问 Key Vault?
[英]How to access Key Vault with Azure Managed Service Identity in node?
问题描述
I follow the instruction here to create an Managed Service Identity.
我按照此处的说明创建托管服务标识。 So now in my environment variable, I have MSI_ENDPOINT and MSI_SECRET.所以现在在我的环境变量中,我有 MSI_ENDPOINT 和 MSI_SECRET。
In my typescript (node.js) project, I imported the following project:在我的 typescript (node.js) 项目中,我导入了以下项目:
import {KeyVaultCredentials, KeyVaultClient} from "azure-keyvault";
import {AuthenticationContext, ErrorResponse, TokenResponse} from "adal-node";
If I wasn't using MSI, I could access my key vault using the following code:如果我没有使用 MSI,我可以使用以下代码访问我的密钥保管库:
let keyVaultCredentials = new KeyVaultCredentials(KeyVault.createAuthenticator(this.clientID, this.clientKey));
let keyVaultClient = new KeyVaultClient(keyVaultCredentials);
private static createAuthenticator(clientID: string, clientKey: string){
return (challenge, callback) => {
let context = new AuthenticationContext(challenge.authorization);
return context.acquireTokenWithClientCredentials(
challenge.resource,
clientID,
clientKey,
function (err, tokenResponse:TokenResponse | ErrorResponse) {
if (err) {
CLogger.log("error", "Error occurred while acquiring token with key vault credentials: " + JSON.stringify(err));
throw new Error("Error occurred while acquiring token with key vault credentials. Check log files");
}
if(<TokenResponse>tokenResponse){
let authorizationValue = (<TokenResponse>tokenResponse).tokenType + " " + (<TokenResponse>tokenResponse).accessToken;
return callback(null, authorizationValue);
}
});
}
}
I have no idea how to get access token with MSI enabled, please help.我不知道如何在启用 MSI 的情况下获取访问令牌,请帮忙。
2 个解决方案
解决方案1
4 2019-11-26 14:02:41
With the new Azure SDK for js, you can authenticate your application with managed service by implementing class DefaultAzureCredential from package @azure/identity.使用适用于 js 的新 Azure SDK,你可以通过实现包 @azure/identity 中的 DefaultAzureCredential 类来使用托管服务对应用程序进行身份验证。
const {DefaultAzureCredential} = require('@azure/identity'); const {SecretClient} = require('@azure/keyvault-secrets'); const credential = new DefaultAzureCredential(); const vaultName = "<key-vault-name>"; const url = `https://${vaultName}.vault.azure.net`; const client = new SecretClient(url, credential); client.setSecret(secretName, "MySecretValue"); ........
It supports both service principal and managed identity authentication.它支持服务主体和托管身份验证。
To run it on a local environment you must set three environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET to be able to connect with a service principal.要在本地环境中运行它,您必须设置三个环境变量:AZURE_TENANT_ID、AZURE_CLIENT_ID 和 AZURE_CLIENT_SECRET,以便能够与服务主体连接。
On Azure, if those variables are not defined, it will try to authenticate with managed identity.在 Azure 上,如果未定义这些变量,它将尝试使用托管标识进行身份验证。
解决方案2
3 2018-02-05 21:23:24
Using the loginWithAppServiceMSI() method from ms-rest-azure will autodetect if you're on a WebApp and get the token from the MSI endpoint.使用 ms-rest-azure 中的 loginWithAppServiceMSI() 方法将自动检测您是否在 WebApp 上并从 MSI 端点获取令牌。 Then, the code is simply:然后,代码很简单:
function getKeyVaultCredentials(){
return msRestAzure.loginWithAppServiceMSI({resource: 'https://vault.azure.net'});
}
function getKeyVaultSecret(credentials) {
let keyVaultClient = new KeyVault.KeyVaultClient(credentials);
return keyVaultClient.getSecret(KEY_VAULT_URI, 'secret', "");
}
getKeyVaultCredentials().then(
getKeyVaultSecret
).then(function (secret){
console.log(`Your secret value is: ${secret.value}.`);
}).catch(function (err) {
throw (err);
});
I'd recommend checking the full documentation here我建议在此处查看完整文档
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.