[英].NET Core secrets on a production server when not hosting on Azure
I've been trying to understand how .NET Core handles sensitive information and I'm struggling to work out how to deploy on a production environment that isn't being hosted on Azure.我一直在尝试了解 .NET Core 如何处理敏感信息,并且我正在努力研究如何在未托管在 Azure 上的生产环境中进行部署。
From what I understand I can use "secret storage" on my local development environment to store sensitive information, but this only works on the development environment.据我了解,我可以在本地开发环境中使用“秘密存储”来存储敏感信息,但这仅适用于开发环境。
If I want to access secret variables on the production environment it seems that Azure Key Vault is the recommended approach?如果我想在生产环境中访问秘密变量,Azure Key Vault 似乎是推荐的方法? However from what I'm reading I can't access these secrets unless I'm hosting on Azure too.
但是,从我正在阅读的内容来看,除非我也在 Azure 上托管,否则我无法访问这些秘密。
In my situation we already have our hosting set up with a 3rd party hosting company, so I'm wondering if it's possible to somehow still use Azure's Key Vault when not hosting on Azure.在我的情况下,我们已经与第 3 方托管公司建立了托管,所以我想知道当不在 Azure 上托管时,是否有可能以某种方式仍然使用 Azure 的 Key Vault。 Failing that, what are the alternatives?
做不到这一点,有什么替代方案?
Thanks谢谢
In my situation we already have our hosting set up with a 3rd party hosting company, so I'm wondering if it's possible to somehow still use Azure's Key Vault when not hosting on Azure.
在我的情况下,我们已经与第 3 方托管公司建立了托管,所以我想知道当不在 Azure 上托管时,是否有可能以某种方式仍然使用 Azure 的 Key Vault。 Failing that, what are the alternatives?
做不到这一点,有什么替代方案?
You can still use fully On Premise alternative to securely host your secrets without putting them into the settings file.您仍然可以完全使用 On Premise 替代方案来安全地托管您的秘密,而无需将它们放入设置文件中。
What you need to know first is how settings are loading into ASP.Net Core applications.您首先需要了解的是如何将设置加载到 ASP.Net Core 应用程序中。 At the time of writing this answer this is the order that is used to load the configurations when you call
CreateDefaultBuilder
on the Program.cs
file:在编写此答案时,这是在
Program.cs
文件上调用CreateDefaultBuilder
时用于加载配置的顺序:
CreateDefaultBuilder
provides default configuration for the app in the following order:CreateDefaultBuilder
按以下顺序为应用程序提供默认配置:
ChainedConfigurationProvider
: Adds an existingIConfiguration
as a source.ChainedConfigurationProvider
:将现有的IConfiguration
添加为源。 In the default configuration case, adds the host configuration and setting it as the first source for the app configuration.在默认配置情况下,添加主机配置并将其设置为应用配置的第一个来源。
appsettings.json
using the JSON configuration provider.appsettings.json
使用 JSON 配置提供程序。
appsettings.Environment.json
using the JSON configuration provider.appsettings.Environment.json
使用 JSON 配置提供程序。 For example,appsettings.Production.json
and appsettings.Development.json.例如,
appsettings.Production.json
和 appsettings.Development.json。App secrets when the app runs in the Development environment.
应用程序在开发环境中运行时的应用程序机密。
Environment variables using the Environment Variables configuration provider.
使用环境变量配置提供程序的环境变量。
Command-line arguments using the Command-line configuration provider.
使用命令行配置提供程序的命令行 arguments。
In your case, the step you need to look at is the step n°5.在您的情况下,您需要查看的步骤是第 5 步。 In Windows, environment variables are configured in two ways:
在Windows中,环境变量的配置方式有两种:
So in your case you need to follow these steps:因此,在您的情况下,您需要执行以下步骤:
You'll need to create a specific user account for running your application.您需要创建一个特定的用户帐户来运行您的应用程序。
It can be only a local user account.它只能是本地用户帐户。
Connect to the server with that newly created user account, set the environment variables and make sure it will remain in the scope of that user (it is the purpose of the thrid parameter in the PowerShell Command below).使用新创建的用户帐户连接到服务器,设置环境变量并确保它将保留在该用户的 scope 中(这是下面 PowerShell 命令中的第三个参数的目的)。 For example to set the connection string you'll run something like below:
例如,要设置连接字符串,您将运行如下内容:
[Environment]::SetEnvironmentVariable("ConnectionStrings:MySuperDatabse", "my super database connection string", "User")
You need to configure the IIS Application Pool to use that new account to run the application.您需要配置 IIS 应用程序池以使用该新帐户来运行应用程序。 So you need to go to the Advanced Settings of the application pool dedicated to your application and set the new account like below:
因此,您需要 go 到专用于您的应用程序的应用程序池的高级设置,并设置新帐户,如下所示:
One last thinks is to configure again the IIS Application Pool to load the User Profile .最后一个想法是再次配置 IIS 应用程序池以加载用户配置文件。 In some IIS configuration it is set to
false
by default.在某些 IIS 配置中,默认设置为
false
。 You need to set it to true
so when loading the user profiles, the environment variables for that specific user will also be loaded.您需要将其设置为
true
,以便在加载用户配置文件时,还将加载该特定用户的环境变量。 That can be configured in Advanced Settings of the application pool dedicated to your ASP.Net Core application like below:可以在专用于 ASP.Net Core 应用程序的应用程序池的高级设置中进行配置,如下所示:
And it is done.它已经完成了。 You'll be able to access to the secrets for the user account running your ASP.Net Core Application without modifying anything into your code base but only configurations on environment varaibles scoped to that user and configurations done on IIS, Beside the user account creation.
您将能够访问运行 ASP.Net Core 应用程序的用户帐户的机密,而无需修改代码库中的任何内容,但只能在该用户范围内的环境变量上的配置以及在 IIS 上完成的配置,除了用户帐户创建。 all the remaining steps can be automated into your CD Pipelines without any difficulties.
所有剩余的步骤都可以毫无困难地自动集成到您的 CD 管道中。
Because the secrets are set to the environment variables of the created account, make sure that not many people are aware about its password (threat that account as an admin account).由于机密设置为创建帐户的环境变量,因此请确保没有多少人知道其密码(威胁该帐户为管理员帐户)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.