使用 ms-rest-azure 通过 azure-keyvault 进行身份验证?
Use ms-rest-azure to authenticate with azure-keyvault?
我有一个节点项目,我正在使用这些库:
import { KeyVaultClient } from "azure-keyvault";
import * as msRestAzure from 'ms-rest-azure';
这是给他们的link:
https://www.npmjs.com/package/azure-keyvault
https://www.npmjs.com/package/ms-rest-azure
我正在尝试使用 azure-keyvault 在我的保管库中获取秘密。
let vaultClient = new KeyVaultClient(credentials);
vaultClient.getSecret(secretURI)
.then(function (result) {
CLogger.log("error", "Result: "+JSON.stringify(result));
return result.value.toString();
})
.catch(function (error) {
CLogger.log("error", "Error occurred while getting the secret "+secretName+": " + JSON.stringify(error));
throw "Error occurred while getting secret. Check log files" ;
})
我正在使用 ms-rest-azure 获取凭据(令牌)。这主要是因为我需要同时使用 ServicePrincipalSecret 和 MSI 登录。据我所知,adal 库不支持 MSI 登录。
import * as msRestAzure from 'ms-rest-azure';
msRestAzure.loginWithServicePrincipalSecret(clientID, clientKey, domainID)
而且我确实正确地获得了登录令牌:
{
"environment":{
"validateAuthority":true,
"name":"Azure",
"portalUrl":"https://portal.azure.com",
"publishingProfileUrl":"http://go.microsoft.com/fwlink/?LinkId=254432",
"managementEndpointUrl":"https://management.core.windows.net",
"resourceManagerEndpointUrl":"https://management.azure.com/",
"sqlManagementEndpointUrl":"https://management.core.windows.net:8443/",
"sqlServerHostnameSuffix":".database.windows.net",
"galleryEndpointUrl":"https://gallery.azure.com/",
"activeDirectoryEndpointUrl":"https://login.microsoftonline.com/",
"activeDirectoryResourceId":"https://management.core.windows.net/",
"activeDirectoryGraphResourceId":"https://graph.windows.net/",
"activeDirectoryGraphApiVersion":"2013-04-05",
"storageEndpointSuffix":".core.windows.net",
"keyVaultDnsSuffix":".vault.azure.net",
"azureDataLakeStoreFileSystemEndpointSuffix":"azuredatalakestore.net",
"azureDataLakeAnalyticsCatalogAndJobEndpointSuffix":"azuredatalakeanalytics.net"
},
"authorizationScheme":"Bearer",
"tokenCache":{
"_entries":[
{
"tokenType":"Bearer",
"expiresIn":3599,
"expiresOn":"2018-02-06T22:00:45.439Z",
"resource":"https://management.core.windows.net/",
"accessToken":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlNT...",
"isMRRT":true,
"_clientId":"51dc31c8-27e7-4a05-9d6b-62c0710c2ad3",
"_authority":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0"
}
]
},
"clientId":"51dc31c8-...",
"domain":"3a41ae53-...",
"secret":"k7JlWcPdpK...",
"context":{
"_authority":{
"_log":{
"_componentName":"Authority",
"_logContext":{
"correlationId":"ceb8d4fe-135c-48a3-8b19-f50310c026b9"
}
},
"_url":{
"protocol":"https:",
"slashes":true,
"auth":null,
"host":"login.microsoftonline.com",
"port":null,
"hostname":"login.microsoftonline.com",
"hash":null,
"search":null,
"query":null,
"pathname":"/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0",
"path":"/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0",
"href":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0"
},
"_validated":true,
"_host":"login.microsoftonline.com",
"_tenant":"3a41ae53-fb35-4431-be7b-a0b3e1aee3c0",
"_authorizationEndpoint":null,
"_tokenEndpoint":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0/oauth2/token",
"_deviceCodeEndpoint":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0/oauth2/devicecode",
"_isAdfsAuthority":false,
"_callContext":{
"options":{
},
"_logContext":{
"correlationId":"ceb8d4fe-135c-48a3-8b19-f50310c026b9"
}
}
},
"_oauth2client":null,
"_correlationId":null,
"_callContext":{
"options":{
},
"_logContext":{
"correlationId":"ceb8d4fe-135c-48a3-8b19-f50310c026b9"
}
},
"_cache":{
"_entries":[
{
"tokenType":"Bearer",
"expiresIn":3599,
"expiresOn":"2018-02-06T22:00:45.439Z",
"resource":"https://management.core.windows.net/",
"accessToken":"eyJ0eXAiOiJKV1QiLCJhbGciOi...",
"isMRRT":true,
"_clientId":"51dc31c8-27e7-4a05-9d6b-62c0710c2ad3",
"_authority":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0"
}
]
},
"_tokenRequestWithUserCode":{
}
}
}
但是我收到 401 错误,我做错了什么?
{
"statusCode":401,
"request":{
"rawResponse":false,
"queryString":{
},
"url":"https://myVault.vault.azure.net/secrets/mySecret/?api-version=2016-10-01",
"method":"GET",
"headers":{
"x-ms-client-request-id":"95251650-6fcc-467b-8cd7-a23bf22a7a3c",
"accept-language":"en-US",
"Content-Type":"application/json; charset=utf-8",
"user-agent":"Node/v6.11.2 (x64-Windows_NT-10.0.16299) ms-rest/2.3.0 ms-rest-azure/2.5.2 azure-keyvault/2.0.1-preview Azure-SDK-For-Node"
},
"body":null
},
"response":{
"body":"",
"headers":{
"cache-control":"no-cache",
"pragma":"no-cache",
"expires":"-1",
"server":"Microsoft-IIS/8.5",
"www-authenticate":"Bearer authorization=\"https://login.windows.net/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0\", resource=\"https://vault.azure.net\"",
"x-ms-keyvault-region":"westus2",
"x-ms-request-id":"75929ac8-f1ed-441d-9ed0-82ab23c86be5",
"x-ms-keyvault-service-version":"1.0.0.839",
"x-aspnet-version":"4.0.30319",
"x-powered-by":"ASP.NET",
"strict-transport-security":"max-age=31536000;includeSubDomains",
"x-content-type-options":"nosniff",
"date":"Tue, 06 Feb 2018 21:00:45 GMT",
"connection":"close",
"content-length":"0"
},
"statusCode":401
}
}
在你的令牌中,资源是错误的。
您应该使用 https://vault.azure.net 而不是 https://management.core.windows.net/。
This is mainly because I need to both login using
ServicePrincipalSecret and MSI. As far as I can tell the adal library
doesn't support MSI login.
是的,msRestAzure.loginWithServicePrincipalSecret(clientID, clientKey, domainID) 不支持 MSI 登录,但您可以使用 msRestAzure.loginWithAppServiceMSI({resource: 'https://vault.azure.net'});
有关此内容的更多信息,请参阅此 link。
我有一个节点项目,我正在使用这些库:
import { KeyVaultClient } from "azure-keyvault";
import * as msRestAzure from 'ms-rest-azure';
这是给他们的link:
https://www.npmjs.com/package/azure-keyvault
https://www.npmjs.com/package/ms-rest-azure
我正在尝试使用 azure-keyvault 在我的保管库中获取秘密。
let vaultClient = new KeyVaultClient(credentials);
vaultClient.getSecret(secretURI)
.then(function (result) {
CLogger.log("error", "Result: "+JSON.stringify(result));
return result.value.toString();
})
.catch(function (error) {
CLogger.log("error", "Error occurred while getting the secret "+secretName+": " + JSON.stringify(error));
throw "Error occurred while getting secret. Check log files" ;
})
我正在使用 ms-rest-azure 获取凭据(令牌)。这主要是因为我需要同时使用 ServicePrincipalSecret 和 MSI 登录。据我所知,adal 库不支持 MSI 登录。
import * as msRestAzure from 'ms-rest-azure';
msRestAzure.loginWithServicePrincipalSecret(clientID, clientKey, domainID)
而且我确实正确地获得了登录令牌:
{
"environment":{
"validateAuthority":true,
"name":"Azure",
"portalUrl":"https://portal.azure.com",
"publishingProfileUrl":"http://go.microsoft.com/fwlink/?LinkId=254432",
"managementEndpointUrl":"https://management.core.windows.net",
"resourceManagerEndpointUrl":"https://management.azure.com/",
"sqlManagementEndpointUrl":"https://management.core.windows.net:8443/",
"sqlServerHostnameSuffix":".database.windows.net",
"galleryEndpointUrl":"https://gallery.azure.com/",
"activeDirectoryEndpointUrl":"https://login.microsoftonline.com/",
"activeDirectoryResourceId":"https://management.core.windows.net/",
"activeDirectoryGraphResourceId":"https://graph.windows.net/",
"activeDirectoryGraphApiVersion":"2013-04-05",
"storageEndpointSuffix":".core.windows.net",
"keyVaultDnsSuffix":".vault.azure.net",
"azureDataLakeStoreFileSystemEndpointSuffix":"azuredatalakestore.net",
"azureDataLakeAnalyticsCatalogAndJobEndpointSuffix":"azuredatalakeanalytics.net"
},
"authorizationScheme":"Bearer",
"tokenCache":{
"_entries":[
{
"tokenType":"Bearer",
"expiresIn":3599,
"expiresOn":"2018-02-06T22:00:45.439Z",
"resource":"https://management.core.windows.net/",
"accessToken":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlNT...",
"isMRRT":true,
"_clientId":"51dc31c8-27e7-4a05-9d6b-62c0710c2ad3",
"_authority":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0"
}
]
},
"clientId":"51dc31c8-...",
"domain":"3a41ae53-...",
"secret":"k7JlWcPdpK...",
"context":{
"_authority":{
"_log":{
"_componentName":"Authority",
"_logContext":{
"correlationId":"ceb8d4fe-135c-48a3-8b19-f50310c026b9"
}
},
"_url":{
"protocol":"https:",
"slashes":true,
"auth":null,
"host":"login.microsoftonline.com",
"port":null,
"hostname":"login.microsoftonline.com",
"hash":null,
"search":null,
"query":null,
"pathname":"/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0",
"path":"/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0",
"href":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0"
},
"_validated":true,
"_host":"login.microsoftonline.com",
"_tenant":"3a41ae53-fb35-4431-be7b-a0b3e1aee3c0",
"_authorizationEndpoint":null,
"_tokenEndpoint":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0/oauth2/token",
"_deviceCodeEndpoint":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0/oauth2/devicecode",
"_isAdfsAuthority":false,
"_callContext":{
"options":{
},
"_logContext":{
"correlationId":"ceb8d4fe-135c-48a3-8b19-f50310c026b9"
}
}
},
"_oauth2client":null,
"_correlationId":null,
"_callContext":{
"options":{
},
"_logContext":{
"correlationId":"ceb8d4fe-135c-48a3-8b19-f50310c026b9"
}
},
"_cache":{
"_entries":[
{
"tokenType":"Bearer",
"expiresIn":3599,
"expiresOn":"2018-02-06T22:00:45.439Z",
"resource":"https://management.core.windows.net/",
"accessToken":"eyJ0eXAiOiJKV1QiLCJhbGciOi...",
"isMRRT":true,
"_clientId":"51dc31c8-27e7-4a05-9d6b-62c0710c2ad3",
"_authority":"https://login.microsoftonline.com/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0"
}
]
},
"_tokenRequestWithUserCode":{
}
}
}
但是我收到 401 错误,我做错了什么?
{
"statusCode":401,
"request":{
"rawResponse":false,
"queryString":{
},
"url":"https://myVault.vault.azure.net/secrets/mySecret/?api-version=2016-10-01",
"method":"GET",
"headers":{
"x-ms-client-request-id":"95251650-6fcc-467b-8cd7-a23bf22a7a3c",
"accept-language":"en-US",
"Content-Type":"application/json; charset=utf-8",
"user-agent":"Node/v6.11.2 (x64-Windows_NT-10.0.16299) ms-rest/2.3.0 ms-rest-azure/2.5.2 azure-keyvault/2.0.1-preview Azure-SDK-For-Node"
},
"body":null
},
"response":{
"body":"",
"headers":{
"cache-control":"no-cache",
"pragma":"no-cache",
"expires":"-1",
"server":"Microsoft-IIS/8.5",
"www-authenticate":"Bearer authorization=\"https://login.windows.net/3a41ae53-fb35-4431-be7b-a0b3e1aee3c0\", resource=\"https://vault.azure.net\"",
"x-ms-keyvault-region":"westus2",
"x-ms-request-id":"75929ac8-f1ed-441d-9ed0-82ab23c86be5",
"x-ms-keyvault-service-version":"1.0.0.839",
"x-aspnet-version":"4.0.30319",
"x-powered-by":"ASP.NET",
"strict-transport-security":"max-age=31536000;includeSubDomains",
"x-content-type-options":"nosniff",
"date":"Tue, 06 Feb 2018 21:00:45 GMT",
"connection":"close",
"content-length":"0"
},
"statusCode":401
}
}
在你的令牌中,资源是错误的。
您应该使用 https://vault.azure.net 而不是 https://management.core.windows.net/。
This is mainly because I need to both login using ServicePrincipalSecret and MSI. As far as I can tell the adal library doesn't support MSI login.
是的,msRestAzure.loginWithServicePrincipalSecret(clientID, clientKey, domainID) 不支持 MSI 登录,但您可以使用 msRestAzure.loginWithAppServiceMSI({resource: 'https://vault.azure.net'});
有关此内容的更多信息,请参阅此 link。