使用来自 Linux 的证书向 Azure 进行身份验证
Authenticate to Azure with certificate from Linux
我正在尝试使用 Az 模块从 Powershell Core 脚本登录到 Azure。
这需要使用上传到 Azure 的自签名证书。
我尝试使用以下方法创建证书:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /etc/ssl/private/key.pem -out /etc/ssl/private/cert.pem -subj "/C=LV/ST=Some-State/L=LV/O=IT/OU=IT"
并使用指纹登录,但 Powershell 给我这个错误:
Connect-AzAccount : Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.
不确定这是什么意思。
问题类似于这个问题https://github.com/Azure/azure-powershell/issues/8658
但不确定如何解释那里的答案。没有证书经验,Linux.
经验有限
为了回答我自己的问题,我终于有点明白了。步骤:
#create certs
openssl req -new -x509 -newkey rsa:2048 -keyout localhost.key -out localhost.cer -days 365 -subj /CN=localhost
#create pfx
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.cer
#You will need to specify some password for it
#Now use the generated cer file and import it in your Azure portal, AzureAD->app registrations->your created SP->Certificates and secrets. Can also use powershell to do this.
#import the PFX to your machines cert store
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("path to your pfx","the pfx password you specified on step 2",$Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
$tenantId = 'look in your azure portal'
$appId = 'app id of the service principal you created, look in your azure portal'
$thumbprint = $certificate.thumbprint
Connect-AzAccount -ApplicationId $appId -Tenant $tenantId -CertificateThumbprint $thumbprint
就是这样,您将使用 Powershell Core 从 Linux 机器或 Docker 自动、非交互地连接到您的 Azure 租户,并且可以执行您的 SP 角色允许的所有命令。您可以重新使用 PFX 文件,只是第一次是手动的,之后将其托管在某个地方并使用 curl 或类似的脚本加载它。
注意:我不太了解证书以及所有这些可能带来的安全隐患,使用风险自负。
我正在尝试使用 Az 模块从 Powershell Core 脚本登录到 Azure。 这需要使用上传到 Azure 的自签名证书。
我尝试使用以下方法创建证书:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout /etc/ssl/private/key.pem -out /etc/ssl/private/cert.pem -subj "/C=LV/ST=Some-State/L=LV/O=IT/OU=IT"
并使用指纹登录,但 Powershell 给我这个错误:
Connect-AzAccount : Unix LocalMachine X509Store is limited to the Root and CertificateAuthority stores.
不确定这是什么意思。
问题类似于这个问题https://github.com/Azure/azure-powershell/issues/8658
但不确定如何解释那里的答案。没有证书经验,Linux.
经验有限为了回答我自己的问题,我终于有点明白了。步骤:
#create certs
openssl req -new -x509 -newkey rsa:2048 -keyout localhost.key -out localhost.cer -days 365 -subj /CN=localhost
#create pfx
openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.cer
#You will need to specify some password for it
#Now use the generated cer file and import it in your Azure portal, AzureAD->app registrations->your created SP->Certificates and secrets. Can also use powershell to do this.
#import the PFX to your machines cert store
$StoreName = [System.Security.Cryptography.X509Certificates.StoreName]::My
$StoreLocation = [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
$Store = [System.Security.Cryptography.X509Certificates.X509Store]::new($StoreName, $StoreLocation)
$Flag = [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable
$Certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("path to your pfx","the pfx password you specified on step 2",$Flag)
$Store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$Store.Add($Certificate)
$Store.Close()
$tenantId = 'look in your azure portal'
$appId = 'app id of the service principal you created, look in your azure portal'
$thumbprint = $certificate.thumbprint
Connect-AzAccount -ApplicationId $appId -Tenant $tenantId -CertificateThumbprint $thumbprint
就是这样,您将使用 Powershell Core 从 Linux 机器或 Docker 自动、非交互地连接到您的 Azure 租户,并且可以执行您的 SP 角色允许的所有命令。您可以重新使用 PFX 文件,只是第一次是手动的,之后将其托管在某个地方并使用 curl 或类似的脚本加载它。
注意:我不太了解证书以及所有这些可能带来的安全隐患,使用风险自负。