从 Azure Functions 动态访问 Azure Key Vault
[英]Access azure key vault from Azure Functions dynamically
问题描述
I am writing a azure functions application in python.
我正在用 python 编写一个 azure 函数应用程序。 It is a http trigger application.它是一个 http 触发器应用程序。 The input for the application is userID.应用程序的输入是用户 ID。
{ "user":"TEST_USER_1" }
The functions should use the username specified in 'user' parameter and look up the password in azure keyvault and attempt a remote login to one of the service.这些函数应使用“user”参数中指定的用户名,并在 azure keyvault 中查找密码并尝试远程登录其中一项服务。 For this, we need to add the application settings parameter for specific keyvault version BUT these changes are static.为此,我们需要为特定的密钥库版本添加应用程序设置参数,但这些更改是静态的。
For us, all the users and their passwords are added to azure keyvault And we will keep on provisioning more users.对我们来说,所有用户及其密码都被添加到 azure keyvault 并且我们将继续提供更多用户。
Now, the challenge is how to dynamically access password for any user specified during API call ?现在,挑战是如何为 API 调用期间指定的任何用户动态访问密码? Is it possible to access all the secrets in a keyvault without specifying individual secret version?是否可以在不指定单个密钥版本的情况下访问密钥库中的所有密钥?
1 个解决方案
解决方案1
2 已采纳 2019-11-27 16:07:29
Here's what you need to do:您需要执行以下操作:
- create a managed identity for your Azure Function为 Azure 函数创建托管标识
- grant permission on Azure Key Vault (Get / List) for the previous identity为以前的身份授予对 Azure Key Vault(获取/列出)的权限
- get access token from Azure AD in your function在您的函数中从 Azure AD 获取访问令牌
- use the token to retrieve the secret.使用令牌来检索秘密。
Some useful links:一些有用的链接:
https://docs.microsoft.com/en-us/azure/python/python-sdk-azure-authenticate https://docs.microsoft.com/en-us/azure/python/python-sdk-azure-authenticate
https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.