[英]Azure - authenticating to KeyVault using Service Principle returns an Unauthorized exception
I'm trying to access KeyVault from an .net Core console application, using a Service Principle (I have the App Id and App Secret ). 我正在尝试使用服务原则(我有App Id和App Secret )从.net Core控制台应用程序访问KeyVault。 Here's my code:
这是我的代码:
var client = new KeyVaultClient(GetAccessToken);
var secret = client.GetSecretAsync("https://{keyvaultName}.vault.azure.net", "MySecret").Result;
Which calls back to this function: 哪个回调函数:
private static async Task<string> GetAccessToken(string authority, string resource, string scope)
{
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var credential = new ClientCredential(clientId: appId, clientSecret: appSecret);
var authResult = await context.AcquireTokenAsync(resource, credential);
return authResult.AccessToken;
}
Calling GetSecretAsync returns an " AccessDenied " exception. 调用GetSecretAsync会返回“ AccessDenied ”异常。 Modifying the code to use this callback yeilds an " Unauthorized " exception:
修改代码以使用此回调会产生“ 未经授权 ”的异常:
private static async Task<string> GetAccessToken(string authority, string resource, string scope)
{
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var credential = new ClientCredential(clientId: appId, clientSecret: appSecret);
**var authResult = await context.AcquireTokenAsync("https://management.core.windows.net/", credential);**
return authResult.AccessToken;
}
I setup the Service Principle by going to Azure > AAD > App Registrations , noted the App Id and password (App Secret) when I setup the Principle. 我通过转到Azure> AAD>应用程序注册来设置服务原则,在设置原则时记下应用程序ID和密码(App Secret)。
Then in KeyVault, I added the principle to Access Control (IAM), with contributor rights, but still no joy! 然后在KeyVault中,我添加了访问控制(IAM)的原则,具有贡献者权限,但仍然没有快乐!
Has anyone come across this scenario before? 有没有人遇到过这种情况?
Thanks! 谢谢! :)
:)
"Access Control (IAM)" controls access to the vault itself. “访问控制(IAM)”控制对文件库本身的访问。 There is a separate way to control access to the contents of the vaults (ie: the keys, secrets, and certificates).
有一种单独的方法可以控制对保管库内容的访问(即:密钥,密钥和证书)。 As mentioned in these docs , we can authorize a given AAD application to retrieve secrets in a given vault in the Azure Portal by navigating to the desired vault, selecting "Access policies", clicking on "Add new", and then searching for your service principal.
如这些文档中所述 ,我们可以授权给定的AAD应用程序通过导航到所需的保管库,选择“访问策略”,单击“添加新”,然后搜索您的服务来检索Azure门户中给定保管库中的机密。主要。 You should be able to filter by application ID:
您应该能够按应用程序ID进行过滤:
I test it with the following code, it works correctly on my side. 我用下面的代码测试它,它在我这边正常工作。 The resourceUri is
https://vault.azure.net
. resourceUri是
https://vault.azure.net
。
static string appId = "xxxxxxxxxxxxx";
static string appSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx";
static string tenantId = "xxxxxxxxxxxxxxxxxxxxx";
public static void Main(string[] args)
{
var kv = new KeyVaultClient(GetAccessToken);
var scret = kv.GetSecretAsync("https://xxxxxx.vault.azure.net", "secretname").GetAwaiter().GetResult();
}
public static async Task<string> GetAccessToken(string azureTenantId, string clientId, string redirectUri)
{
var context = new AuthenticationContext("https://login.windows.net/" + tenantId);
var credential = new ClientCredential(appId, appSecret);
var tokenResult = await context.AcquireTokenAsync("https://vault.azure.net", credential);
return tokenResult.AccessToken;
}
Also, you need to add permission with "Key Vault" to the registered app. 此外,您需要向已注册的应用添加“Key Vault”权限。
In Key vault channel, you need to Add policies to your registered application or user. 在Key vault频道中,您需要向已注册的应用程序或用户添加策略。 And in Access Control you need to add permission to your registered application or user.
在Access Control中,您需要为注册的应用程序或用户添加权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.