Azure 密钥保管库:访问被拒绝
Azure key vault: access denied
我有以下用于从 Azure 密钥保管库获取机密的代码:
public static async Task<string> GetToken(string authority, string resource, string scope)
{
var authContext = new AuthenticationContext(authority);
ClientCredential clientCred = new ClientCredential(...); //app id, app secret
AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);
if (result == null)
throw new InvalidOperationException("Failed to obtain the JWT token");
return result.AccessToken;
}
public static string GetSecret(string secretName)
{
KeyVaultClient keyVaultClient = new KeyVaultClient(GetToken);
try
{
return keyVaultClient.GetSecretAsync("my-key-vault-url", secretName).Result.Value;
}
catch(Exception ex)
{
return "Error";
}
}
我得到的错误是 "access denied",这(我认为)意味着 id、secret 和保险库的 url 没问题。但是,我不知道我可以做些什么来修复这个错误,Azure 门户中是否有一个设置阻止我读取机密?
发生了什么事 - 您的服务主体无权执行上述操作。看看这个话题。
要解决访问被拒绝的问题,您需要配置 Active Directory 权限。授予对 KeyVault 的访问权限。
1.使用 PowerShell
运行 下一个命令:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'XXXXXXX' -ServicePrincipalName XXXXX -PermissionsToKeys decrypt,sign,get,unwrapKey
2。使用 Azure 门户
- 打开密钥库
- Select 来自 Key Vault 资源的访问策略 blade
- 单击 blade
顶部的 [+ 添加访问策略] 按钮
- 点击SelectPrincipal到select你之前创建的应用程序
- 从密钥权限下拉列表中,select "Decrypt"、"Sign"、"Get"、"UnwrapKey" 权限
- 保存更改
如果您想授权同一个应用程序读取您保管库中的秘密,运行以下内容:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'yourKeyVaultName' -ServicePrincipalName ClientId -PermissionsToSecrets Get
当您在 Azure 中注册应用程序时,会生成 ClientId。
问题确实指定了使用 Azure 门户,我已经记录了为 Key Vault 访问创建服务主体 here。
具体来自第 2 步:
Open the Key Vault in the Azure Portal and select the Access policies blade under Settings. Click Add New and click on Select principal - you'll have to enter the full name of the registered app you created in the previous step in the search box before it'll show up, at which point you'll be able to select it.
You can either select an appropriate template from the top dropdown or choose Key, Secret or Certificate permissions manually. Don't worry about Authorized application at this stage.
IMPORTANT: pressing the OK button will add your new policy to the list, but it will not be saved! Be sure to click Save before continuing.
在 .Net 代码中访问 Key Vault
天蓝色设置:-
应用服务-
1-Enable-MSI(托管服务标识)-ON
密钥库:
1-打开密钥库
2-Select 来自 Key Vault 资源的访问策略 blade
3- 单击 blade 顶部的 [+ 添加新] 按钮
4-单击 Select Principal 以 select 您之前创建的应用程序(App Service)
.网络代码:-
在 .Net 代码中访问密钥库机密的代码
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = keyVaultClient.GetSecretAsync("https://test.vault.azure.net/", "clientid").Result.Value;
我遇到了同样的问题,我在 KeyVault 防火墙下添加了我的 IP 地址。
我有以下用于从 Azure 密钥保管库获取机密的代码:
public static async Task<string> GetToken(string authority, string resource, string scope)
{
var authContext = new AuthenticationContext(authority);
ClientCredential clientCred = new ClientCredential(...); //app id, app secret
AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);
if (result == null)
throw new InvalidOperationException("Failed to obtain the JWT token");
return result.AccessToken;
}
public static string GetSecret(string secretName)
{
KeyVaultClient keyVaultClient = new KeyVaultClient(GetToken);
try
{
return keyVaultClient.GetSecretAsync("my-key-vault-url", secretName).Result.Value;
}
catch(Exception ex)
{
return "Error";
}
}
我得到的错误是 "access denied",这(我认为)意味着 id、secret 和保险库的 url 没问题。但是,我不知道我可以做些什么来修复这个错误,Azure 门户中是否有一个设置阻止我读取机密?
发生了什么事 - 您的服务主体无权执行上述操作。看看这个话题。
要解决访问被拒绝的问题,您需要配置 Active Directory 权限。授予对 KeyVault 的访问权限。
1.使用 PowerShell 运行 下一个命令:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'XXXXXXX' -ServicePrincipalName XXXXX -PermissionsToKeys decrypt,sign,get,unwrapKey
2。使用 Azure 门户
- 打开密钥库
- Select 来自 Key Vault 资源的访问策略 blade
- 单击 blade 顶部的 [+ 添加访问策略] 按钮
- 点击SelectPrincipal到select你之前创建的应用程序
- 从密钥权限下拉列表中,select "Decrypt"、"Sign"、"Get"、"UnwrapKey" 权限
- 保存更改
如果您想授权同一个应用程序读取您保管库中的秘密,运行以下内容:
Set-AzureRmKeyVaultAccessPolicy -VaultName 'yourKeyVaultName' -ServicePrincipalName ClientId -PermissionsToSecrets Get
当您在 Azure 中注册应用程序时,会生成 ClientId。
问题确实指定了使用 Azure 门户,我已经记录了为 Key Vault 访问创建服务主体 here。
具体来自第 2 步:
Open the Key Vault in the Azure Portal and select the Access policies blade under Settings. Click Add New and click on Select principal - you'll have to enter the full name of the registered app you created in the previous step in the search box before it'll show up, at which point you'll be able to select it.
You can either select an appropriate template from the top dropdown or choose Key, Secret or Certificate permissions manually. Don't worry about Authorized application at this stage.
IMPORTANT: pressing the OK button will add your new policy to the list, but it will not be saved! Be sure to click Save before continuing.
在 .Net 代码中访问 Key Vault 天蓝色设置:- 应用服务- 1-Enable-MSI(托管服务标识)-ON
密钥库: 1-打开密钥库 2-Select 来自 Key Vault 资源的访问策略 blade
3- 单击 blade 顶部的 [+ 添加新] 按钮 4-单击 Select Principal 以 select 您之前创建的应用程序(App Service)
.网络代码:- 在 .Net 代码中访问密钥库机密的代码
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = keyVaultClient.GetSecretAsync("https://test.vault.azure.net/", "clientid").Result.Value;
我遇到了同样的问题,我在 KeyVault 防火墙下添加了我的 IP 地址。