如何使用我在 Azure Active Directory 中创建的应用程序注册本地创建的应用程序?
How do I register my application locally created with one I created in Azure Active Directory?
我按照此处的说明学习 AzureKeyVault 配置设置
Key Vault Configuration Provider sample application (ASP.NET Core 2.x)
This sample illustrates the use of the Azure Key Vault Configuration
Provider for ASP.NET Core 2.x. For the ASP.NET Core 1.x sample, see
Key Vault Configuration Provider sample application (ASP.NET Core
1.x).
For more information on how the sample works, see the Azure Key Vault
configuration provider topic.
Using the sample
Create a key vault and set up Azure Active Directory (Azure AD) for the application following the guidance in Get started with Azure Key
Vault.
- Add secrets to the key vault using the AzureRM Key Vault PowerShell Module available from the
PowerShell
Gallery,
the Azure Key Vault REST API, or the Azure
Portal. Secrets are created as either
Manual or Certificate secrets. Certificate secrets are certificates for use by apps and services but are not supported by the
configuration provider. You should use the Manual option to create
name-value pair secrets for use with the configuration provider.
- Simple secrets are created as name-value pairs. Azure Key Vault secret names are limited to alphanumeric characters and dashes.
- Hierarchical values (configuration sections) use
--
(two dashes) as a separator in the sample. Colons, which are normally used
to delimit a section from a subkey in ASP.NET Core
configuration, aren't allowed
in secret names. Therefore, two dashes are used and swapped for a
colon when the secrets are loaded into the app's configuration.
- Create two Manual secrets with the following name-value pairs. The first secret is a simple name and value, and the second
secret creates a secret value with a section and subkey in the secret
name:
SecretName
: secret_value_1
Section--SecretName
: secret_value_2
- Register the sample app with Azure Active Directory.
- Authorize the app to
access the key vault. When you use the
Set-AzureRmKeyVaultAccessPolicy
PowerShell cmdlet to authorize the
app to access the key vault, provide List
and Get
access to
secrets with -PermissionsToSecrets list,get
.
Update the app's appsettings.json file with the values of Vault
, ClientId
, and ClientSecret
.
- Run the sample app, which obtains its configuration values from
IConfigurationRoot
with the same name as the secret name. *
Non-hierarchical values: The value for SecretName
is obtained with
config["SecretName"]
. * Hierarchical values (sections): Use :
(colon) notation or the GetSection
extension method. Use either of
these approaches to obtain the configuration value:
config["Section:SecretName"]
config.GetSection("Section")["SecretName"]
好的,我已将我的应用程序名称作为 'Enterprise Application' 复制到 Azure Active Directory 中。我在 Azure 中为我刚刚创建的 ADD 对象添加了 'Access policies' for 'get' 和 'list'。然而,当我尝试启动应用程序时,我在程序中遇到了这个错误:
Exception: {"error":"unauthorized_client","error_description":"AADSTS70001:
Application with identifier '(guid)' was not found in the directory ...(continues)
更新 8-4-18
好的,我发现 Azure 在本地 appsettings.json 中使用 'ClientId' 和 'ClientSecret' 连接到本教程中 Azure 注册的内容:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#log-in-as-the-application
- 我从 ADD 上的 applicationId 中获取 appsettings.json 中的 clientId 我使用 ADD>App Registrations>New
创建
- 我在我刚创建的应用程序上单击“添加”中的设置,并创建一个过期密钥以作为 ClientSecret 存储在 appsettings.json 中。
- 我将应用程序设置中的 'Vault' 更改为我命名的保管库。
- 我 运行 上面的 powershell 提供访问权限,或者在 ADD 中执行。
所以现在我得到一个更简单的错误:
'Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: 'Access denied''
我已尝试 运行在 Visual Studio 中以管理员身份登录。我在 Azure > 访问控制 > (IAM) > 将我的新应用程序设置为 Reader 中进行订阅。
所以你的 powershell 失败的原因是因为你试图分配一个 User Principal
- 一个用户 - 而实际上你想要一个 Service Principal
.
除了说当您使用 SDK 以服务主体身份登录时,您使用 Application/Service 主体的应用程序 ID(其相同的 ID)之外,我看不到您的 C# 支持更多。
服务主体就像本地目录中的用户一样,但您作为应用程序登录。
编辑:
我查看了您发布的示例并 运行 我自己查看了它,并且遇到了非常相似的问题。但是我已经开始工作了。步骤如下:
正在创建应用程序
- 创建已注册的应用程序。我通过 Azure 门户这样做
服务主体是自动创建的。记下
ApplicationId
.
- 在创建的应用程序上生成密钥凭据并记下它。
- 在应用程序中单击 link 到
Managed app in local directory
。这是服务主体,记下 ObjectId
创建密钥保管库
创建 KeyVault - 我使用 PowerShell 来完成此操作。 New-AzureRmKeyVault
将服务主体应用到 Key Vault。
Set-AzureRmKeyVaultAccessPolicy -VaultName <vault> -ResourceGroupName <ResourceGroupName> -ObjectId <Object Id of the Created Service Principal> -PermissionsToSecrets Get,List
运行 示例应用程序
在您的应用程序设置中遵循以下格式:
{
"Vault": <the name of your vault>,
"ClientId": <ApplicationId of the Registered Application>,
"ClientSecret": <Credential generated from the Registered Application>
}
这对我有用,让我可以 运行 样本并从保险库中检索秘密。
对我来说,最终的问题是 运行 'Set-AzureRmKeyVaultAccessPolicy' 是不需要的,无论出于何种原因,忽略它并遵循本小节更容易:https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize
我一直在尝试设置对象 ID 和键,实际上我只是忽略了提到 'ServerPrincipalName'
的部分
他们为键设置了一个 commandlet
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToKeys decrypt,sign
他们为机密设置了一个命令行开关
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToSecrets Get, List
但我决定按照直接进行的部分在门户中完成所有操作。对我来说,关键是说明没有错。只是含糊地说:"Register a sample app" 然后 "Authorize the App"。他们真的应该说
Register a sample app (https://docs.microsoft.com/en-us/azure/key-vault/key-vault-get-started#register)
Authorize the app with Key Vault (https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize)
最终所有信息都在那里,如果您碰巧已经拥有一个保险库和一个应用程序并且不了解先决条件是您确实需要一个 1. 一个保险库,2. 一个 ADD,那只会让人感到困惑Web 应用程序,3。二合一的关联权限。
我按照此处的说明学习 AzureKeyVault 配置设置
Key Vault Configuration Provider sample application (ASP.NET Core 2.x)
This sample illustrates the use of the Azure Key Vault Configuration Provider for ASP.NET Core 2.x. For the ASP.NET Core 1.x sample, see Key Vault Configuration Provider sample application (ASP.NET Core 1.x).
For more information on how the sample works, see the Azure Key Vault configuration provider topic.
Using the sample
Create a key vault and set up Azure Active Directory (Azure AD) for the application following the guidance in Get started with Azure Key Vault.
- Add secrets to the key vault using the AzureRM Key Vault PowerShell Module available from the PowerShell Gallery, the Azure Key Vault REST API, or the Azure Portal. Secrets are created as either Manual or Certificate secrets. Certificate secrets are certificates for use by apps and services but are not supported by the configuration provider. You should use the Manual option to create name-value pair secrets for use with the configuration provider.
- Simple secrets are created as name-value pairs. Azure Key Vault secret names are limited to alphanumeric characters and dashes.
- Hierarchical values (configuration sections) use
--
(two dashes) as a separator in the sample. Colons, which are normally used to delimit a section from a subkey in ASP.NET Core configuration, aren't allowed in secret names. Therefore, two dashes are used and swapped for a colon when the secrets are loaded into the app's configuration.- Create two Manual secrets with the following name-value pairs. The first secret is a simple name and value, and the second secret creates a secret value with a section and subkey in the secret name:
SecretName
:secret_value_1
Section--SecretName
:secret_value_2
- Register the sample app with Azure Active Directory.
- Authorize the app to access the key vault. When you use the
Set-AzureRmKeyVaultAccessPolicy
PowerShell cmdlet to authorize the app to access the key vault, provideList
andGet
access to secrets with-PermissionsToSecrets list,get
.Update the app's appsettings.json file with the values of
Vault
,ClientId
, andClientSecret
.- Run the sample app, which obtains its configuration values from
IConfigurationRoot
with the same name as the secret name. * Non-hierarchical values: The value forSecretName
is obtained withconfig["SecretName"]
. * Hierarchical values (sections): Use:
(colon) notation or theGetSection
extension method. Use either of these approaches to obtain the configuration value:
config["Section:SecretName"]
config.GetSection("Section")["SecretName"]
好的,我已将我的应用程序名称作为 'Enterprise Application' 复制到 Azure Active Directory 中。我在 Azure 中为我刚刚创建的 ADD 对象添加了 'Access policies' for 'get' 和 'list'。然而,当我尝试启动应用程序时,我在程序中遇到了这个错误:
Exception: {"error":"unauthorized_client","error_description":"AADSTS70001:
Application with identifier '(guid)' was not found in the directory ...(continues)
更新 8-4-18 好的,我发现 Azure 在本地 appsettings.json 中使用 'ClientId' 和 'ClientSecret' 连接到本教程中 Azure 注册的内容:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal#log-in-as-the-application
- 我从 ADD 上的 applicationId 中获取 appsettings.json 中的 clientId 我使用 ADD>App Registrations>New 创建
- 我在我刚创建的应用程序上单击“添加”中的设置,并创建一个过期密钥以作为 ClientSecret 存储在 appsettings.json 中。
- 我将应用程序设置中的 'Vault' 更改为我命名的保管库。
- 我 运行 上面的 powershell 提供访问权限,或者在 ADD 中执行。
所以现在我得到一个更简单的错误:
'Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: 'Access denied''
我已尝试 运行在 Visual Studio 中以管理员身份登录。我在 Azure > 访问控制 > (IAM) > 将我的新应用程序设置为 Reader 中进行订阅。
所以你的 powershell 失败的原因是因为你试图分配一个 User Principal
- 一个用户 - 而实际上你想要一个 Service Principal
.
除了说当您使用 SDK 以服务主体身份登录时,您使用 Application/Service 主体的应用程序 ID(其相同的 ID)之外,我看不到您的 C# 支持更多。
服务主体就像本地目录中的用户一样,但您作为应用程序登录。
编辑:
我查看了您发布的示例并 运行 我自己查看了它,并且遇到了非常相似的问题。但是我已经开始工作了。步骤如下:
正在创建应用程序
- 创建已注册的应用程序。我通过 Azure 门户这样做
服务主体是自动创建的。记下
ApplicationId
. - 在创建的应用程序上生成密钥凭据并记下它。
- 在应用程序中单击 link 到
Managed app in local directory
。这是服务主体,记下ObjectId
创建密钥保管库
创建 KeyVault - 我使用 PowerShell 来完成此操作。
New-AzureRmKeyVault
将服务主体应用到 Key Vault。
Set-AzureRmKeyVaultAccessPolicy -VaultName <vault> -ResourceGroupName <ResourceGroupName> -ObjectId <Object Id of the Created Service Principal> -PermissionsToSecrets Get,List
运行 示例应用程序
在您的应用程序设置中遵循以下格式:
{
"Vault": <the name of your vault>,
"ClientId": <ApplicationId of the Registered Application>,
"ClientSecret": <Credential generated from the Registered Application>
}
这对我有用,让我可以 运行 样本并从保险库中检索秘密。
对我来说,最终的问题是 运行 'Set-AzureRmKeyVaultAccessPolicy' 是不需要的,无论出于何种原因,忽略它并遵循本小节更容易:https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize
我一直在尝试设置对象 ID 和键,实际上我只是忽略了提到 'ServerPrincipalName'
的部分他们为键设置了一个 commandlet
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToKeys decrypt,sign
他们为机密设置了一个命令行开关
Set-AzureRmKeyVaultAccessPolicy -VaultName '<vaultName>' -ServicePrincipalName <ApplicationIdGuid> -PermissionsToSecrets Get, List
但我决定按照直接进行的部分在门户中完成所有操作。对我来说,关键是说明没有错。只是含糊地说:"Register a sample app" 然后 "Authorize the App"。他们真的应该说
Register a sample app (https://docs.microsoft.com/en-us/azure/key-vault/key-vault-get-started#register) Authorize the app with Key Vault (https://azure.microsoft.com/documentation/articles/key-vault-get-started/#authorize)
最终所有信息都在那里,如果您碰巧已经拥有一个保险库和一个应用程序并且不了解先决条件是您确实需要一个 1. 一个保险库,2. 一个 ADD,那只会让人感到困惑Web 应用程序,3。二合一的关联权限。