Visual Studio 中的 .NET Core 3.1 Docker 访问 Azure Key Vault
.NET Core 3.1 Docker in Visual Studio accessing Azure Key Vault
我正在尝试 运行 在 Docker 本地 Visual Studio 中的 .NET Core 3.1 应用程序。应用程序需要访问 Azure Key Vault。
当我 运行 应用程序时,出现以下错误:
One or more errors occurred. (Parameters: Connection String: [No
connection string specified], Resource: https://vault.azure.net,
Authority:
https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a.
Exception Message: Tried the following 3 methods to get an access
token, but none of them worked.
Parameters: Connection String: [No
connection string specified], Resource: https://vault.azure.net,
Authority:
https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a.
Exception Message: Tried to get token using Managed Service Identity.
Access token could not be acquired. Connection refused
Parameters:
Connection String: [No connection string specified], Resource:
https://vault.azure.net, Authority:
https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a.
Exception Message: Tried to get token using Visual Studio. Access
token could not be acquired. Environment variable LOCALAPPDATA not
set.
Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net, Authority:
https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a.
Exception Message: Tried to get token using Azure CLI. Access token
could not be acquired. /bin/bash: az: No such file or directory
注意:使用 IIS Express 效果很好!请帮忙! :D
使用 DefaultAzureCredential 验证 Azure 密钥保管库时,请设置所需的 environment variables。
在这个场景下,就是在Dockerfile中设置环境变量。
ENV AZURE_CLIENT_ID=<Your AZURE CLIENT ID>
ENV AZURE_CLIENT_SECRET=<Your CLIENT SECRET>
ENV AZURE_TENANT_ID=<Your TENANT ID>
为了避免被接受的答案(因为明显的安全问题),并简化和自动化 E. Staal's answer (on a duplicate question),我想到了这个:
更新您的 .gitignore
文件,在文件底部添加以下行:
appsettings.local.json
右键单击解决方案资源管理器中的项目,然后单击Properties
;在 Build Events
选项卡中,找到 Pre-build event command line
文本框并添加以下代码:
cd /d "$(ProjectDir)"
if exist "appsettings.local.json" del "appsettings.local.json"
if "$(ConfigurationName)" == "Debug" (
az account get-access-token --resource=https://vault.azure.net > appsettings.local.json
)
在您的 launchSettings.json
(或使用项目设置下的可视化编辑器)中配置以下值:
{
"profiles": {
// ...
"Docker": {
"commandName": "Docker",
"environmentVariables": {
"DOTNET_ENVIRONMENT": "Development",
"AZURE_TENANT_ID": "<YOUR-AZURE-TENANT-ID-HERE>"
}
}
}
}
在您的 Program.cs
文件中找到 CreateHostBuilder 方法并相应地更新 ConfigureAppConfiguration
块——这里以我的为例:
Host.CreateDefaultBuilder(args).ConfigureAppConfiguration
(
(ctx, cfg) =>
{
if (ctx.HostingEnvironment.IsDevelopment())
{
cfg.AddJsonFile("appsettings.local.json", true);
}
var builtConfig = cfg.Build();
var keyVault = builtConfig["KeyVault"];
if (!string.IsNullOrWhiteSpace(keyVault))
{
var accessToken = builtConfig["accessToken"];
cfg.AddAzureKeyVault
(
$"https://{keyVault}.vault.azure.net/",
new KeyVaultClient
(
string.IsNullOrWhiteSpace(accessToken)
? new KeyVaultClient.AuthenticationCallback
(
new AzureServiceTokenProvider().KeyVaultTokenCallback
)
: (x, y, z) => Task.FromResult(accessToken)
),
new DefaultKeyVaultSecretManager()
);
}
}
)
如果这仍然不起作用,请验证 az login
是否已执行并且 az account get-access-token --resource=https://vault.azure.net
是否对您正常工作。
我正在尝试 运行 在 Docker 本地 Visual Studio 中的 .NET Core 3.1 应用程序。应用程序需要访问 Azure Key Vault。
当我 运行 应用程序时,出现以下错误:
One or more errors occurred. (Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Connection refused
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory
注意:使用 IIS Express 效果很好!请帮忙! :D
使用 DefaultAzureCredential 验证 Azure 密钥保管库时,请设置所需的 environment variables。
在这个场景下,就是在Dockerfile中设置环境变量。
ENV AZURE_CLIENT_ID=<Your AZURE CLIENT ID>
ENV AZURE_CLIENT_SECRET=<Your CLIENT SECRET>
ENV AZURE_TENANT_ID=<Your TENANT ID>
为了避免被接受的答案(因为明显的安全问题),并简化和自动化 E. Staal's answer (on a duplicate question),我想到了这个:
更新您的
.gitignore
文件,在文件底部添加以下行:appsettings.local.json
右键单击解决方案资源管理器中的项目,然后单击
Properties
;在Build Events
选项卡中,找到Pre-build event command line
文本框并添加以下代码:cd /d "$(ProjectDir)" if exist "appsettings.local.json" del "appsettings.local.json" if "$(ConfigurationName)" == "Debug" ( az account get-access-token --resource=https://vault.azure.net > appsettings.local.json )
在您的
launchSettings.json
(或使用项目设置下的可视化编辑器)中配置以下值:{ "profiles": { // ... "Docker": { "commandName": "Docker", "environmentVariables": { "DOTNET_ENVIRONMENT": "Development", "AZURE_TENANT_ID": "<YOUR-AZURE-TENANT-ID-HERE>" } } } }
在您的
Program.cs
文件中找到 CreateHostBuilder 方法并相应地更新ConfigureAppConfiguration
块——这里以我的为例:Host.CreateDefaultBuilder(args).ConfigureAppConfiguration ( (ctx, cfg) => { if (ctx.HostingEnvironment.IsDevelopment()) { cfg.AddJsonFile("appsettings.local.json", true); } var builtConfig = cfg.Build(); var keyVault = builtConfig["KeyVault"]; if (!string.IsNullOrWhiteSpace(keyVault)) { var accessToken = builtConfig["accessToken"]; cfg.AddAzureKeyVault ( $"https://{keyVault}.vault.azure.net/", new KeyVaultClient ( string.IsNullOrWhiteSpace(accessToken) ? new KeyVaultClient.AuthenticationCallback ( new AzureServiceTokenProvider().KeyVaultTokenCallback ) : (x, y, z) => Task.FromResult(accessToken) ), new DefaultKeyVaultSecretManager() ); } } )
如果这仍然不起作用,请验证 az login
是否已执行并且 az account get-access-token --resource=https://vault.azure.net
是否对您正常工作。