僅使用計算機上安裝的證書訪問 Azure KeyVault 機密

Question

我使用以下代碼訪問我的 Azure KeyVault

public static string GetKeyVaultSecret(string keyVaultName, string secretName)
{
    string secret = "";
    string secretUrl = $"https://{keyVaultName}.vault.azure.net/secrets/{secretName}";
    AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
    var keyVaultClient = new KeyVaultClient(
        new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
    Task.Run(async () => {
        var secretObject = await keyVaultClient.GetSecretAsync(secretUrl).ConfigureAwait(false);
        secret = secretObject.Value;
    }).GetAwaiter().GetResult();
    return secret;
}

當我在我的帳戶下登錄時，這非常有效。 但是作為服務帳戶登錄時，我收到錯誤消息：

Parameters: Connection String: [No connection string specified], Resource:
https://vault.azure.net, Authority: https://login.windows.net/5a47d63b-1b7e-4d2d-9333-750184dcbc99. 
Exception Message: Tried to get token using Active Directory Integrated Authentication.
 Access token could not be acquired. unknown_user_type: Unknown User Type

我只想使用證書來驗證和授權對 KeyVault 的訪問，而不是任何 Azure Active Directory 帳戶

Answer 1

您需要設置一個指向證書並且可由應用程序讀取的連接字符串環境變量。

這取自https://docs.microsoft.com/en-us/dotnet/api/overview/azure/service-to-service-authentication#use-a-certificate-in-local-keystore-to-sign-天藍色廣告