[英]Using Key Vault Secret with Binder in Azure Function on Blob connection
I found this code sample to add a connection to Blob storage and write some text to a file but the connection information depends on environment variable name that contains your connection string.我发现此代码示例添加到 Blob 存储的连接并将一些文本写入文件,但连接信息取决于包含连接字符串的环境变量名称。 I can't figure out how to instead provide a key vault secret reference that contains the connection string instead of having to use the environment variable name with the connection string.
我不知道如何提供包含连接字符串的密钥保管库秘密引用,而不必将环境变量名称与连接字符串一起使用。
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Host.Bindings.Runtime;
public static async Task Run(string input, Binder binder)
{
var attributes = new Attribute[]
{
new BlobAttribute("samples-output/path"),
new StorageAccountAttribute("MyStorageAccount")
};
using (var writer = await binder.BindAsync<TextWriter>(attributes))
{
writer.Write("Hello World!");
}
}
I can get the connection string from my key vault with code like below but I don't know how to provide that to the Binder to use.我可以使用如下代码从我的密钥库中获取连接字符串,但我不知道如何将其提供给 Binder 使用。
string StorageConnectionString = GetSecrets(Environment.GetEnvironmentVariable("StorageAccountSecretUrl")).Result.Value;
The function called is below:调用的function如下:
private static async Task<SecretBundle> GetSecrets(string Url)
{
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
return await keyVaultClient.GetSecretAsync(Url).ConfigureAwait(false);
}
The objective is to only use my key vault secrets for changes to the connection string and to keep the connection strings out of the configuration file.目标是仅将我的密钥保管库机密用于连接字符串的更改,并将连接字符串保留在配置文件之外。
Take a look at this MS doc called "Use Key Vault references for App Service and Azure Functions" ( https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references ).看看这个名为“为 App Service 和 Azure 函数使用 Key Vault 引用”的 MS 文档( https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references ).
This technique basically allows you to use Key Vault without materially changing your Function code.这种技术基本上允许您使用 Key Vault,而无需对 Function 代码进行实质性更改。 You keep the reference to an app settings variable in your function (for the Binding to use), but that app setting in turn is a pointer to a Key Vault secret.
您在 function 中保留对应用程序设置变量的引用(供绑定使用),但该应用程序设置又是指向 Key Vault 机密的指针。 The system takes care of "translating" that pointer to the secret at runtime.
系统负责在运行时“翻译”指向秘密的指针。 The process does involve creating a managed identity for the app service/function to have permission to access the Vault.
该过程确实涉及为应用程序服务/功能创建托管标识以有权访问 Vault。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.