Azure存儲客戶端加密
[英]Azure Storage Client Side Encryption
問題描述
我正在嘗試使用Azure存儲帳戶測試客戶端加密。 到目前為止,我已經創建了一個資源組,並將我的KeyVault,注冊的應用程序放置在Active Directory上,並且在我的keyVault中創建了一個秘密。
我認為我無法將我的秘密映射到我的存儲帳戶,但是我認為如果它們在同一個資源組中,它們應該可以工作。
$key = "qwertyuiopasdfgh"
$b = [System.Text.Encoding]::UTF8.GetBytes($key)
$enc = [System.Convert]::ToBase64String($b)
$secretvalue = ConvertTo-SecureString $enc -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName 'ectotecStorageKeyVault' -Name 'ectotecSecret' -SecretValue $secretvalue -ContentType "application/octet-stream"
問題是我通過以下代碼獲取了無效的機密提供的錯誤:
namespace cifradoApp
{
class Program
{
private async static Task<string> GetToken(string authority, string resource, string scope)
{
var authContext = new AuthenticationContext(authority);
ClientCredential clientCred = new ClientCredential(
ConfigurationManager.AppSettings["clientId"],
ConfigurationManager.AppSettings["clientSecret"]);
AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);
if (result == null)
throw new InvalidOperationException("Failed to obtain the JWT token");
return result.AccessToken;
}
static void Main(string[] args)
{
// This is standard code to interact with Blob storage.
StorageCredentials creds = new StorageCredentials(
ConfigurationManager.AppSettings["accountName"],
ConfigurationManager.AppSettings["accountKey"]
);
CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true);
CloudBlobClient client = account.CreateCloudBlobClient();
CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]);
contain.CreateIfNotExists();
// The Resolver object is used to interact with Key Vault for Azure Storage.
// This is where the GetToken method from above is used.
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);
// Retrieve the key that you created previously.
// The IKey that is returned here is an RsaKey.
// Remember that we used the names contosokeyvault and testrsakey1.
var rsa = cloudResolver.ResolveKeyAsync("https://ectotecstoragekeyvault.vault.azure.net/secrets/ectotecSecret/dee97a40c78a4638bbb3fa0d3e13f75e", CancellationToken.None).GetAwaiter().GetResult();
// Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);
BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };
// Reference a block blob.
CloudBlockBlob blob = contain.GetBlockBlobReference("BlobPruebaEncrypted.txt");
// Upload using the UploadFromStream method.
using (var stream = System.IO.File.OpenRead(@"C:\Users\moise\Desktop\ectotec stuff\Visual Studio\azureStorageSample\container\BlobPrueba.txt"))
blob.UploadFromStream(stream, stream.Length, null, options, null);
}
}
}
我的應用程序設置似乎運行良好,因為我之前僅使用我的帳戶和訪問存儲帳戶的密鑰進行驗證,因為我在不嘗試進行客戶端加密的情況下進行了測試,所以一切正常。 問題似乎來自秘密。
嘗試將某些內容上傳到我的存儲帳戶容器(BLOB)時出錯
AdalException:{“錯誤”:“ invalid_client”,“錯誤說明”:“ AADSTS70002:驗證憑據時出錯。AADSTS50012:提供了無效的客戶端機密。\\ r \\ n跟蹤ID:52047a12-b950-4d8a-9206-120e383feb00 \\ r \\ n相關ID :e2ad8afe-4272-49aa-94c0-5dad435ffc45 \\ r \\ n時間戳:2019-01-02 17:10:32Z“,”錯誤代碼“:[70002,50012],”時間戳“:” 2019-01-02 17:10 :32Z“,” trace_id“:” 52047a12-b950-4d8a-9206-120e383feb00“,” correlation_id“:” e2ad8afe-4272-49aa-94c0-5dad435ffc45“}:未知錯誤
<appSettings>
<add key="accountName" value="sampleExample"/>
<add key="accountKey" value="KeyForMyApp"/>
<add key="clientId" value="app-id"/>
<add key="clientSecret" value="qwertyuiopasdfgh"/>
<add key="container" value="ectotec-sample2"/>
</appSettings>
我正在嘗試復制本教程中的示例:
https://docs.microsoft.com/zh-cn/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault
1 個解決方案
解決方案1
2 2019-01-02 17:53:41
您需要確保已授予您的應用程序讀取密鑰的權限。 這與Key Vault的RBAC權限是分開的。
為此,請瀏覽至門戶中的Key Vault,在左側菜單上,您將看到一個設置部分,然后在此處單擊一個名為“訪問策略”的項目。
然后,您想單擊“添加新”按鈕。 在打開的窗口中,單擊“選擇主體”部分,然后輸入要訪問的應用程序的名稱或應用程序ID。 選擇密鑰,機密或證書的適當權限,然后單擊“確定”。
這將帶您回到授權用戶列表,請確保單擊左上角的“保存”(顯然您不需要這樣做),然后您的應用程序才可以訪問。
不使用KeyVault的Azure表存儲客戶端加密
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.