使用 KeyVault 机密覆盖 Azure 应用服务中和本地的应用设置
[英]Using KeyVault secrets to override appsettings in Azure App Service and locally
问题描述
Attempting to retrieve secrets from KeyVault in a C# App Service.
尝试从 C# 应用服务中的 KeyVault 检索机密。
Local machine:本地机器:
Visual Studio > Tools > Options > Azure Service Authentication - authenticated Azure account
Visual Studio > 工具 > 选项 > Azure 服务身份验证 - 经过身份验证的 Azure 帐户Likely use
az loginin the shell that youdotnet runif on vs code etc. Not Checked.如果使用 vs 代码等,可能会在dotnet run的 shell 中使用az login。未检查。
Azure天蓝色
- App service blade:应用服务刀片:
- Set App Service identity to
System Assigned将应用服务标识设置为System Assigned
- Set App Service identity to
- Keyvault blade: KeyVault 刀片:
- Created KeyVault创建 KeyVault
- Created Secret: Name = "Foo"创建的秘密:名称 = "Foo"
- Given myself manage secrets access policy鉴于我自己管理机密访问策略
- Given App Service identity Get and List secret access policy给定应用服务身份获取和列出秘密访问策略
- Created KeyVault
appsettings.json appsettings.json
...
"KeyVaultName" : "abc123",
"Secrets": {
"One" : "@Microsoft.KeyVault(Secreturi=[uri to secret copied from Azure blade])"
}
...
Program.cs程序.cs
...
using Azure.Extensions.AspNetCore.Configuration.Secrets;
using Azure.Identity;
...
public static IHostBuilder CreateHostBuilder(string[] args)
{
return Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
var builtConfig = config.Build();
var secretClient = new SecretClient(
new Uri($"https://{builtConfig["KeyVaultName"]}.vault.azure.net/"),
new DefaultAzureCredential());
config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
})
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>();
});
}
Result结果
I am just getting the @Microsoft ... value which I had expected to be mapped to the value from the keyvault.我刚刚获得了@Microsoft ...值,我希望将其映射到密钥库中的值。
Something seems off as I have to define the name of the keyvault twice, once in the SecretClient and once in the @Microsoft.KeyVault reference.似乎有些不对劲,因为我必须两次定义密钥库的名称,一次在 SecretClient 中,一次在 @Microsoft.KeyVault 参考中。
1 个解决方案
解决方案1
0 2021-07-02 10:57:50
It seems I was mixing two methods of getting secrets from the KeyVault.似乎我混合了两种从 KeyVault 获取机密的方法。
Configuration Provider配置提供程序
What I added in Program.cs was a configuration provider that maps secrets into the configuration collection.我在Program.cs中添加的是一个配置提供程序,它将机密映射到配置集合中。 Putting a breakpoint in Startup.cs and inspecting the value in the configuration collection validated this.在Startup.cs放置一个断点并检查配置集合中的值验证了这一点。
What I should have done is named the secret Secret--One which will map and override the local config value { "Secret: { "One" : "..." } } . Cannot use : or __ used in Environment Variable config mapping as those characters are not supported in secret names.我应该做的是命名秘密Secret--One它将映射和覆盖本地配置值{ "Secret: { "One" : "..." } } 。不能使用:或__在环境变量配置映射中使用因为这些字符在秘密名称中不受支持。
Feel I am still missing something here so please update in comments or another answer.感觉我在这里仍然缺少一些东西,所以请在评论或其他答案中更新。
KeyVault Reference KeyVault 参考
If, on the other hand, you want to override config values using Environment Variables set on the Azure Application Settings (App Service Configuration) blade, then you can use KeyVault References.另一方面,如果要使用 Azure 应用程序设置(应用服务配置)边栏选项卡上设置的环境变量覆盖配置值,则可以使用 KeyVault 引用。
The issue with this is that you still need another method to ensure you don't keep secrets locally and risk committing them to source control.这样做的问题是您仍然需要另一种方法来确保您不会在本地保存机密并冒着将它们提交给源代码控制的风险。
References参考
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.