[英]How to use @azure/identity with DefaultCredentials from 'az login' instead of service account when developing locally?
Not sure if this is already possible somehow or there's a different 'flow' that's expected and makes sense which I have yet to discover.不确定这是否已经以某种方式成为可能,或者有一个不同的“流程”是预期的并且是有意义的,我还没有发现。
We use @azure/keyvault-secrets + @azure/identity to access/manage all our secrets/keys across our applications and development environments.我们使用@azure/keyvault-secrets + @azure/identity 来访问/管理我们的应用程序和开发环境中的所有机密/密钥。
In production environments it's easy as we can either associate service accounts with app services directly or just create a service account and set it in the environmental variables then never touch it.在生产环境中,这很容易,因为我们可以直接将服务帐户与应用服务相关联,或者只创建一个服务帐户并将其设置在环境变量中,然后永远不要接触它。
Locally though, for development purposes, it's not ideal to have to get the secret keys/configuration for the app we're working on, it would be ideal to be able to use the account credentials from azure cli to retreive the secrets based on the developer working on the app and what they have access to, so that we can enforce mfa on their account and manage access to keys solely for their user account and so on.但是在本地,出于开发目的,必须为我们正在开发的应用程序获取密钥/配置并不理想,最好能够使用 azure cli 中的帐户凭据来检索基于开发应用程序的开发人员以及他们有权访问的内容,以便我们可以对他们的帐户强制执行 mfa 并仅为他们的用户帐户管理对密钥的访问等等。
Does the @azure/identity module currently support this behaviour? @azure/identity 模块当前是否支持这种行为? if not, is there a recommended behaviour for this use-case besides just configuring the service accounts for each app within the dev.如果没有,除了为开发中的每个应用程序配置服务帐户之外,是否有针对此用例的推荐行为。 environment?环境?
According to my understanding, you want to use azure cli creds to get Azure key vault secret.根据我的理解,您想使用 azure cli 凭据来获取 Azure 密钥库机密。 If so, you can use the sdk @azure/ms-rest-nodeauth
.如果是这样,您可以使用 sdk @azure/ms-rest-nodeauth
。 For moe details, please refer to https://github.com/Azure/azure-sdk-for-node/issues/2284 .萌详情请参考https://github.com/Azure/azure-sdk-for-node/issues/2284 。 The detailed steps are as below.详细步骤如下。
npm init -y
npm install @azure/ms-rest-nodeauth
npm install @azure/keyvault
az login
var azure = require('@azure/ms-rest-nodeauth')
var keyvault = require('@azure/keyvault')
async function main() {
const creds = await azure.AzureCliCredentials.create({ resource: "https://vault.azure.net" })
const client = new keyvault.KeyVaultClient(creds)
const secret = await client.getSecret('https://testkey08.vault.azure.net', 'test', '517cc458b7464c379d1d3e85bd2a5c94')
console.log(secret)
}
main()
.then(() => {
console.log("Successfully executed sample.");
})
.catch((err) => {
console.log(err.message);
});
Update更新
According to my test, if you use sdk @azure/keyvault-secrets
to get the key vault secret, please refer to the following code:根据我的测试,如果你使用 sdk @azure/keyvault-secrets
来获取key vault secret,请参考以下代码:
var azure = require('@azure/ms-rest-nodeauth')
var keyvault = require('@azure/keyvault-secrets')
async function main() {
const creds = await azure.AzureCliCredentials.create({ resource: "https://vault.azure.net" })
const client = new keyvault.SecretClient('https://<your key vault name>.vault.azure.net',creds)
const secret = await client.getSecret('your secret name')
console.log(secret)
}
main()
.then(() => {
console.log("Successfully executed sample.");
})
.catch((err) => {
console.log(err.message);
});
Besides, according to my test and research, if we use the sdk @azure/keyvault-secrets
and @azure/keyvault-secrets
, we have no way to use the account credentials from azure cli to retreive the secrets.此外,根据我的测试和研究,如果我们使用 sdk @azure/keyvault-secrets
和@azure/keyvault-secrets
,我们无法使用 azure cli 中的帐户凭据来检索机密。 For more details, please refer to the document更多详细信息,请参阅文档
So if we want to develop your application on local, I suggest you create a service principal to get the key vault.因此,如果我们想在本地开发您的应用程序,我建议您创建一个服务主体来获取密钥库。 The detailed steps are as below详细步骤如下
az ad sp create-for-rbac -n <your-application-name> --skip-assignment
az keyvault set-policy --name <your-key-vault-name> --spn $AZURE_CLIENT_ID --secret-permissions backup delete get list purge recover restore set
AZURE_TENANT_ID=<tenant id>
AZURE_CLIENT_ID=<app id>
AZURE_CLIENT_SECRET=<password>
var keyvault = require('@azure/keyvault-secrets')
var azure1 = require('@azure/identity')
const dotenv = require('dotenv');
dotenv.config();
async function main() {
//const creds = await azure.AzureCliCredentials.create({ resource: "https://vault.azure.net" })
// console.log("way1")
// const client = new keyvault.SecretClient('https://testkey08.vault.azure.net',creds)
// const secret = await client.getSecret('test')
// //const secret = await client.getSecret('https://testkey08.vault.azure.net', 'test', '517cc458b7464c379d1d3e85bd2a5c94')
// console.log(secret)
console.log("-----------------------")
console.log("way2")
const creds1 = new azure1.DefaultAzureCredential()
const client1 = new keyvault.SecretClient('https://testkey08.vault.azure.net',creds1)
const secret1 = await client1.getSecret('test')
console.log(secret1)
}
main()
.then(() => {
console.log("Successfully executed sample.");
})
.catch((err) => {
console.log(err.message);
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.