在Azure上存储ASP.NET Core应用程序密码的最佳方法
[英]Best way to store passwords for ASP.NET Core app on Azure
问题描述
I have developed some application and I am using there a external service to send emails (SendGrid). 
我已经开发了一些应用程序,并且正在使用外部服务来发送电子邮件(SendGrid)。 To use this service I need login and password to use SendGrid api. 要使用此服务,我需要登录名和密码才能使用SendGrid api。 In developmnet environment I have used .Net Core secrets ( https://docs.microsoft.com/pl-pl/aspnet/core/security/app-secrets?view=aspnetcore-2.2&tabs=windows ) but now after publish I need to deliver login and password in other way. 在developermnet环境中,我使用了.Net Core机密( https://docs.microsoft.com/pl-pl/aspnet/core/security/app-secrets?view=aspnetcore-2.2&tabs=windows ),但是现在发布后,我需要以其他方式传递登录名和密码。 I know that there is a Azure Key Vault, but what if app will be published somwhere else? 我知道有一个Azure密钥保管箱,但是如果在其他地方发布该应用程序该怎么办?
1 个解决方案
解决方案1
0 2019-05-24 06:12:38
FOR PRODUCTION: Use Managed Identity for Azure Resources to avoid storing connection strings. 生产:使用Azure资源的托管身份来避免存储连接字符串。 It is a clean solution for managing secrets in Key Vault. 这是用于管理Key Vault中机密信息的干净解决方案。
Access Key for Key Vault or other similar resources is never shared, not even to Services or DevOps Engineer to deploy or run the applications in production 永远不会共享Key Vault或其他类似资源的访问密钥,甚至不会共享给Services或DevOps Engineer来部署或运行生产中的应用程序
- Create a Azure Key Vault and store your secrets 创建一个Azure密钥保管库并存储您的秘密
- Enable System Managed Identity in your Azure App Service. 在您的Azure应用服务中启用系统托管身份。 It will register your web application at AAD internally 它将在AAD内部注册您的Web应用程序
- Search for Managed Service Identity Application ID at Key Vault and allow intended access to it 在Key Vault中搜索托管服务标识应用程序ID,并允许对其进行预期的访问
- Initialize connection to your Key Vault by following snippet 按照以下代码片段初始化与您的Key Vault的连接
Program.cs Program.cs中
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
using Microsoft.Extensions.Configuration.AzureKeyVault;
...
public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
if (context.HostingEnvironment.IsProduction())
{
var builtConfig = config.Build();
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
config.AddAzureKeyVault(
$"https://{builtConfig["KeyVaultName"]}.vault.azure.net/",
keyVaultClient,
new DefaultKeyVaultSecretManager());
}
})
.UseStartup<Startup>();
Startup.cs Startup.cs
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
}
- Now, secrets from Key Vault will be loaded into Configuration variable. 现在,来自Key Vault的机密将被加载到Configuration变量中。 You can use it like, Configuration["YourKeyVaultKeyName"]. 您可以像Configuration [“ YourKeyVaultKeyName”]一样使用它。
FOR DEVELOPMENT: You can optionally use Dotnet-user-secrets tool to store\\ manage the secrets in local machine. 开发:您可以选择使用Dotnet-user-secrets工具在本地计算机中存储/管理机密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.