[英]For Azure Key Vault, where should I store the tenantId, clientId and clientSecret?
I am using Azure Key Vault to store my connection strings.我正在使用 Azure Key Vault 来存储我的连接字符串。 The application that needs them is just a C# console application that will run in an Azure VM.
需要它们的应用程序只是一个将在 Azure VM 中运行的 C# 控制台应用程序。 The problem is, I am unsure what the best practice is for storing the tenantId, clientId and clientSecret.
问题是,我不确定存储tenantId、clientId 和clientSecret 的最佳实践是什么。 Should they be compiled in the code?
它们应该在代码中编译吗? Should they be put in the app.config file?
它们应该放在 app.config 文件中吗? Should they be put in the environment variables?
它们应该放在环境变量中吗? Should they be encrypted?
他们应该加密吗? Or is plain text for these fine?
或者这些纯文本很好吗?
If you would like to store the properties on your VM, you could use deployed service authentication(eg.Environment Variables, Managed Identity).如果您想将属性存储在您的 VM 上,您可以使用已部署的服务身份验证(例如环境变量、托管身份)。 Refer to here .
请参阅此处。
Managed identity is the most secure and recommended option for authenticating within Azure, see here .托管标识是在 Azure 中进行身份验证的最安全和推荐的选项,请参阅此处。 You could use managed identities to access App Configuration .
您可以使用托管身份访问 App Configuration 。
A service principal is a type of security principal that identities an application or service, which is to say, a piece of code rather than a user or group.
服务主体是一种用于标识应用程序或服务的安全主体,也就是说,是一段代码,而不是用户或组。 A service principal's object ID is known as its client ID and acts like its username.
服务主体的对象 ID 称为其客户端 ID,其作用类似于其用户名。 The service principal's client secret or certificate acts like its password.
服务主体的客户端机密或证书的作用类似于其密码。 Many Azure Services supports assigning Managed Identity with automated management of client ID and certificate.
许多 Azure 服务支持通过自动管理客户端 ID 和证书来分配托管标识。 Managed identity is the most secure and recommended option for authenticating within Azure.
托管标识是用于在 Azure 中进行身份验证的最安全和推荐的选项。
Once you have assigned a managed identity to the virtual machine in Azure, you simply need the Azure KeyVault URL, without the need for a client id and client secret.将托管标识分配给 Azure 中的虚拟机后,您只需要 Azure KeyVault URL,无需客户端 ID 和客户端机密。
Keep in mind that you need to authorize the VM's identity to read from Key Vault.请记住,您需要授权 VM 的身份才能从 Key Vault 读取。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.