堆栈内存溢出
  简体   繁体   English

对于 Azure Key Vault,我应该将tenantId、clientId 和clientSecret 存储在哪里?

[英]For Azure Key Vault, where should I store the tenantId, clientId and clientSecret?

 原文  2020-11-09 23:43:05       c#/ azure/ azure-keyvault

问题描述

I am using Azure Key Vault to store my connection strings.我正在使用 Azure Key Vault 来存储我的连接字符串。 The application that needs them is just a C# console application that will run in an Azure VM.需要它们的应用程序只是一个将在 Azure VM 中运行的 C# 控制台应用程序。 The problem is, I am unsure what the best practice is for storing the tenantId, clientId and clientSecret.问题是,我不确定存储tenantId、clientId 和clientSecret 的最佳实践是什么。 Should they be compiled in the code?它们应该在代码中编译吗? Should they be put in the app.config file?它们应该放在 app.config 文件中吗? Should they be put in the environment variables?它们应该放在环境变量中吗? Should they be encrypted?他们应该加密吗? Or is plain text for these fine?或者这些纯文本很好吗?

2 个解决方案

解决方案1
 1  2020-11-10 02:19:27

If you would like to store the properties on your VM, you could use deployed service authentication(eg.Environment Variables, Managed Identity).如果您想将属性存储在您的 VM 上,您可以使用已部署的服务身份验证(例如环境变量、托管身份)。 Refer to here .请参阅此处

在此处输入图片说明

Managed identity is the most secure and recommended option for authenticating within Azure, see here .托管标识是在 Azure 中进行身份验证的最安全和推荐的选项,请参阅此处 You could use managed identities to access App Configuration .您可以使用托管身份访问 App Configuration

A service principal is a type of security principal that identities an application or service, which is to say, a piece of code rather than a user or group.服务主体是一种用于标识应用程序或服务的安全主体,也就是说,是一段代码,而不是用户或组。 A service principal's object ID is known as its client ID and acts like its username.服务主体的对象 ID 称为其客户端 ID,其作用类似于其用户名。 The service principal's client secret or certificate acts like its password.服务主体的客户端机密或证书的作用类似于其密码。 Many Azure Services supports assigning Managed Identity with automated management of client ID and certificate.许多 Azure 服务支持通过自动管理客户端 ID 和证书来分配托管标识。 Managed identity is the most secure and recommended option for authenticating within Azure.托管标识是用于在 Azure 中进行身份验证的最安全和推荐的选项。

解决方案2
 1  2020-11-26 15:37:40

Once you have assigned a managed identity to the virtual machine in Azure, you simply need the Azure KeyVault URL, without the need for a client id and client secret.将托管标识分配给 Azure 中的虚拟机后,您只需要 Azure KeyVault URL,无需客户端 ID 和客户端机密。

Keep in mind that you need to authorize the VM's identity to read from Key Vault.请记住,您需要授权 VM 的身份才能从 Key Vault 读取。

Reference 参考

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 安全地存储 Azure Key Vault clientSecret - Store Azure Key Vault clientSecret securely Azure Key Vault ClientSecret Management - Azure Key Vault ClientSecret Management Azure KeyVault:如何创建clientId和clientSecret? - Azure KeyVault: how to create clientId and clientSecret? 从何处获取通过API访问Azure ServiceBus所需的信息,尤其是ClientID和ClientSecret - Where to get required information to access Azure ServiceBus via API, especially ClientID and ClientSecret 如何在 C# 中使用服务主体(clientId 和 clientSecret)为 Azure Data Lake Store(Gen-2)创建 SAS 令牌? - How to create SAS token for Azure Data Lake Store (Gen-2) using service principals (clientId and clientSecret) in C#? 如何获取 Azure (ARM) 部署模板的 clientId 和 clientsecret - How to get clientId and clientsecret for Azure (ARM) deployment template 来自本地 .net 应用程序的 Azure 密钥保管库而不公开 clientid/clientsecret? - Azure keyvault from on prem .net app without exposing clientid/clientsecret? Azure Key Vault URL 应该隐藏吗? - Should the Azure Key Vault URL be hidden? 在 Azure Key Vault 上存储一个长字符串 - Store a long string on Azure Key Vault 我应该在哪里存储公钥? - Where should I store the Public Key?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM