用于存储凭据的 Azure Key Vault 服务
Azure Key Vault Service to store credentials
我的 Azure PaaS 服务支持直接使用 OAUTH(事件中心)进行身份验证。
你们如何安全地将凭据分发给机密客户?
抱歉,我是云开发的新手。
如您所述,您可以使用 Azure keyvault 来存储 client secret of your Azure AD App Registration。
只需将客户端 app/user 帐户添加到具有正确权限的 Azure keyvault Access Policy,然后只有他们才能访问您的 Azure 密钥库以检索客户端密码。
更新:
您需要创建一个新的 Azure AD App Registration used to access the keyvault(this AD App is just to access keyvault, not access to eventhub), store its client id and secret as the environment variables, then use the SDK to get the secret. After that, use ClientSecretCredential 才能访问 eventhub。
TokenCredential credential = new ClientSecretCredential("<tenantId>", "<clientId>", "<clientSecret>");
var fullyQualifiedNamespace = "<< FULLY-QUALIFIED EVENT HUBS NAMESPACE (like something.servicebus.windows.net) >>";
var eventHubName = "<< NAME OF THE EVENT HUB >>";
await using (var producer = new EventHubProducerClient(fullyQualifiedNamespace, eventHubName, credential))
{
using EventDataBatch eventBatch = await producer.CreateBatchAsync();
eventBatch.TryAdd(new EventData(new BinaryData("First")));
eventBatch.TryAdd(new EventData(new BinaryData("Second")));
await producer.SendAsync(eventBatch);
}
参考 - Using an Active Directory principal with the Event Hub clients
注:其实如果你的代码要部署到支持Managed Identity(MSI)的Azure服务,例如Azure App 服务、VM 等,最佳实践是使用 MSI 来验证 eventhub,无需创建 AD 应用程序并使用它们的客户端机密,也不需要 keyvault。
参考 - Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources
我的 Azure PaaS 服务支持直接使用 OAUTH(事件中心)进行身份验证。
你们如何安全地将凭据分发给机密客户?
抱歉,我是云开发的新手。
如您所述,您可以使用 Azure keyvault 来存储 client secret of your Azure AD App Registration。
只需将客户端 app/user 帐户添加到具有正确权限的 Azure keyvault Access Policy,然后只有他们才能访问您的 Azure 密钥库以检索客户端密码。
更新:
您需要创建一个新的 Azure AD App Registration used to access the keyvault(this AD App is just to access keyvault, not access to eventhub), store its client id and secret as the environment variables, then use the SDK to get the secret. After that, use ClientSecretCredential 才能访问 eventhub。
TokenCredential credential = new ClientSecretCredential("<tenantId>", "<clientId>", "<clientSecret>");
var fullyQualifiedNamespace = "<< FULLY-QUALIFIED EVENT HUBS NAMESPACE (like something.servicebus.windows.net) >>";
var eventHubName = "<< NAME OF THE EVENT HUB >>";
await using (var producer = new EventHubProducerClient(fullyQualifiedNamespace, eventHubName, credential))
{
using EventDataBatch eventBatch = await producer.CreateBatchAsync();
eventBatch.TryAdd(new EventData(new BinaryData("First")));
eventBatch.TryAdd(new EventData(new BinaryData("Second")));
await producer.SendAsync(eventBatch);
}
参考 - Using an Active Directory principal with the Event Hub clients
注:其实如果你的代码要部署到支持Managed Identity(MSI)的Azure服务,例如Azure App 服务、VM 等,最佳实践是使用 MSI 来验证 eventhub,无需创建 AD 应用程序并使用它们的客户端机密,也不需要 keyvault。
参考 - Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources