在 C# 中以编程方式将机密添加到 Key Vault
Programatically adding Secrets to Key Vault in C#
我正在尝试将我 运行 的服务的一些输出放在 Azure 的 Key Vault 中。我的服务的输出将是用户凭据,这就是为什么我想为此目的使用 Key Vault。
到目前为止,我已经尝试了 KeyVaultClient 的 SetSecretAsync 方法,但它对我不起作用,我没有收到任何错误消息,但是我也没有看到在我的目标 KeyVault 中创建的新机密。我无法找到 KeyVaultClient Add Secret 方法,因为它不存在,我在这里使用的是正确的 object/method 吗?
这里提到的方法是AddResult。
这是我的代码:
private static AzureKeyVault instance;
private static KeyVaultClient client;
private AzureKeyVault()
{
//initialize the azure key vault
var vaultAddress = ConfigurationManager.AppSettings["VaultUri"];
client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
}
public static async Task<string> GetAccessToken(string authority, string resource, string scope)
{
var clientId = ConfigurationManager.AppSettings["ClientID"];
var clientSecret = ConfigurationManager.AppSettings["ClientSecret"];
ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var result = await context.AcquireTokenAsync(resource, clientCredential);
return result.AccessToken;
}
public static AzureKeyVault GetInstance
{
get
{
if (instance == null)
{
instance = new AzureKeyVault();
}
return instance;
}
}
public void AddResult(string machineIPAndPort, BruteForceResult result)
{
client.SetSecretAsync("https://vaultURI(redacted).vault.azure.net/", machineIPAndPort, JsonConvert.SerializeObject(result));
}
耐心等待(等待创作)。
// Let's create a secret and read it back
string vaultBaseUrl = "https://alice.vault.azure.net";
string secret = "from-NET-SDK";
// Await SetSecretAsync
KeyVaultClient keyclient = new KeyVaultClient(GetToken);
var result = keyclient.SetSecretAsync(vaultBaseUrl, secret, "Sup3eS3c5et").Result;
// Print indented JSON response
string prettyResult = JsonConvert.SerializeObject(result, Formatting.Indented);
Console.WriteLine($"SetSecretAsync completed: {prettyResult}\n");
// Read back secret
string secretUrl = $"{vaultBaseUrl}/secrets/{secret}";
var secretWeJustWroteTo = keyclient.GetSecretAsync(secretUrl).Result;
Console.WriteLine($"secret: {secretWeJustWroteTo.Id} = {secretWeJustWroteTo.Value}");
结果:
SetSecretAsync completed:
{
"SecretIdentifier":{
"BaseIdentifier":"https://alice.vault.azure.net:443/secrets/from-NET-SDK",
"Identifier":"https://alice.vault.azure.net:443/secrets/from-NET-SDK/59793...",
"Name":"from-NET-SDK",
"Vault":"https://alice.vault.azure.net:443",
"VaultWithoutScheme":"alice.vault.azure.net",
"Version":"597930b70565447d8ba9ba525a206a9e"
},
"value":"Sup3eS3c5et",
"id":"https://alice.vault.azure.net/secrets/from-NET-SDK/59...",
"contentType":null,
"attributes":{
"recoveryLevel":"Purgeable",
"enabled":true,
"nbf":null,
"exp":null,
"created":1508354384,
"updated":1508354384
},
"tags":null,
"kid":null,
"managed":null
}
secret: https://alice.vault.azure.net/secrets/from-NET-SDK/59793... = Sup3eS3c5et
你真正应该做的是重写AddResult()
:
public bool AddResult(string machineIPAndPort, BruteForceResult result)
{
await result = client.SetSecretAsync("https://vaultURI(redacted).vault.azure.net/",
machineIPAndPort, JsonConvert.SerializeObject(result));
return true;
}
也许可以将其包装在 try-catch
中并阅读自 以来的 InnerException
。例如,针对我无权访问的 Key Vault 发出请求会导致:
而且因为这是云,所以你要与 other mission critical traffic 进行激烈的竞争,事情会失败。
我正在尝试将我 运行 的服务的一些输出放在 Azure 的 Key Vault 中。我的服务的输出将是用户凭据,这就是为什么我想为此目的使用 Key Vault。
到目前为止,我已经尝试了 KeyVaultClient 的 SetSecretAsync 方法,但它对我不起作用,我没有收到任何错误消息,但是我也没有看到在我的目标 KeyVault 中创建的新机密。我无法找到 KeyVaultClient Add Secret 方法,因为它不存在,我在这里使用的是正确的 object/method 吗?
这里提到的方法是AddResult。
这是我的代码:
private static AzureKeyVault instance;
private static KeyVaultClient client;
private AzureKeyVault()
{
//initialize the azure key vault
var vaultAddress = ConfigurationManager.AppSettings["VaultUri"];
client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
}
public static async Task<string> GetAccessToken(string authority, string resource, string scope)
{
var clientId = ConfigurationManager.AppSettings["ClientID"];
var clientSecret = ConfigurationManager.AppSettings["ClientSecret"];
ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var result = await context.AcquireTokenAsync(resource, clientCredential);
return result.AccessToken;
}
public static AzureKeyVault GetInstance
{
get
{
if (instance == null)
{
instance = new AzureKeyVault();
}
return instance;
}
}
public void AddResult(string machineIPAndPort, BruteForceResult result)
{
client.SetSecretAsync("https://vaultURI(redacted).vault.azure.net/", machineIPAndPort, JsonConvert.SerializeObject(result));
}
耐心等待(等待创作)。
// Let's create a secret and read it back
string vaultBaseUrl = "https://alice.vault.azure.net";
string secret = "from-NET-SDK";
// Await SetSecretAsync
KeyVaultClient keyclient = new KeyVaultClient(GetToken);
var result = keyclient.SetSecretAsync(vaultBaseUrl, secret, "Sup3eS3c5et").Result;
// Print indented JSON response
string prettyResult = JsonConvert.SerializeObject(result, Formatting.Indented);
Console.WriteLine($"SetSecretAsync completed: {prettyResult}\n");
// Read back secret
string secretUrl = $"{vaultBaseUrl}/secrets/{secret}";
var secretWeJustWroteTo = keyclient.GetSecretAsync(secretUrl).Result;
Console.WriteLine($"secret: {secretWeJustWroteTo.Id} = {secretWeJustWroteTo.Value}");
结果:
SetSecretAsync completed:
{
"SecretIdentifier":{
"BaseIdentifier":"https://alice.vault.azure.net:443/secrets/from-NET-SDK",
"Identifier":"https://alice.vault.azure.net:443/secrets/from-NET-SDK/59793...",
"Name":"from-NET-SDK",
"Vault":"https://alice.vault.azure.net:443",
"VaultWithoutScheme":"alice.vault.azure.net",
"Version":"597930b70565447d8ba9ba525a206a9e"
},
"value":"Sup3eS3c5et",
"id":"https://alice.vault.azure.net/secrets/from-NET-SDK/59...",
"contentType":null,
"attributes":{
"recoveryLevel":"Purgeable",
"enabled":true,
"nbf":null,
"exp":null,
"created":1508354384,
"updated":1508354384
},
"tags":null,
"kid":null,
"managed":null
}
secret: https://alice.vault.azure.net/secrets/from-NET-SDK/59793... = Sup3eS3c5et
你真正应该做的是重写AddResult()
:
public bool AddResult(string machineIPAndPort, BruteForceResult result)
{
await result = client.SetSecretAsync("https://vaultURI(redacted).vault.azure.net/",
machineIPAndPort, JsonConvert.SerializeObject(result));
return true;
}
也许可以将其包装在 try-catch
中并阅读自 InnerException
。例如,针对我无权访问的 Key Vault 发出请求会导致:
而且因为这是云,所以你要与 other mission critical traffic 进行激烈的竞争,事情会失败。