Azure Key Vault .NET Core 3.1 Web API 无法访问机密
Azure Key Vault .NET Core 3.1 Web API Can't Access Secrets
我有一个 .NET Core 3.1 Web API 项目,我试图在其中连接 Azure App Config。我让它在其他几个 .NET Framework 项目中工作得很好,但是当我尝试在 Core 3.1 项目中实现它时,如果 App Cong only[,我能够从 App Config 读取未加密的值=25=] 包含未加密的值,但只要我的 App Config 包含 any 对 any Azure Key Vault 机密的引用,就会出现异常。
到目前为止,我只是通过 API 解决方案中的单元测试项目来证明这一点。这是代码:
namespace WebApi.Test.Integration.Settings
{
public abstract class SettingsTestBase
{
protected SettingsTestBase()
{
Environment.SetEnvironmentVariable("Azure_Tenant_Id", "my-tenant-id");
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
}
}
public class SettingsTests : SettingsTestBase
{
[Fact]
public void SettingsRequest_ReturnsValidSettings()
{
var config = GetConfiguration("https://my.keyvault.url.net");
var setting = config["my-keyvaultvalue-v1"] ?? "Hello world!";
Assert.NotNull(setting);
Assert.NotEqual(string.Empty, setting);
Assert.NotEqual("Hello world!", setting);
}
private IConfigurationRoot GetConfiguration(string uri)
{
var azureCred = new DefaultAzureCredential();
var chainedCred = new ChainedTokenCredential(azureCred);
var builder = new ConfigurationBuilder();
//The optional:true parameter for AddAzureAppConfiguration does not work, as of AzureAppConfiguration 3.0.1,
//specifically for the KeyVaultReferenceException we're experiencing. However, this would only gracefully not
//load our key vault secrets, not solve the problem we're having with retrieving secrets.
//https://github.com/Azure/AppConfiguration-DotnetProvider/issues/136
builder.AddAzureAppConfiguration(options =>
options.Connect(new Uri(uri), chainedCred), optional: true);
var config = builder.Build();
return config;
}
}
}
我目前包含的包:
Azure.Identity -v 1.1.1
Microsoft.Azure.KeyVault -v 3.0.5
Microsoft.Azure.Services.AppAuthentication -v 1.5.0
Microsoft.Extensions.Configuration.AzureAppConfiguration -v 3.0.1
Microsoft.Extensions.Configuration.AzureKeyVault -v 3.1.5
这是我 运行 测试时得到的结果:
WebApi.Test.Integration.Settings.SettingsTests.SettingsRequest_ReturnsValidSettings
Source: SettingsTests.cs
Duration: 5 sec
Message:
Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException : No key vault credential configured and no matching secret client could be found.. ErrorCode:, Key:my-keyvaultsecretvalue-v1, Label:, Etag:xxxxxxxxxxxxxxxxxxxxxxxxx, SecretIdentifier:https://my.keyvault.url.net/secrets/my-keyvaultsecretvalue-v1
---- System.UnauthorizedAccessException : No key vault credential configured and no matching secret client could be found.
Stack Trace:
AzureKeyVaultKeyValueAdapter.ProcessKeyValue(ConfigurationSetting setting, CancellationToken cancellationToken)
AzureAppConfigurationProvider.ProcessAdapters(ConfigurationSetting setting, CancellationToken cancellationToken)
AzureAppConfigurationProvider.SetData(IDictionary`2 data, CancellationToken cancellationToken)
AzureAppConfigurationProvider.LoadAll(Boolean ignoreFailures)
AzureAppConfigurationProvider.Load()
ConfigurationRoot.ctor(IList`1 providers)
ConfigurationBuilder.Build()
SettingsTests.GetConfiguration(String uri) line 91
SettingsTests.SettingsRequest_ReturnsValidSettings() line 60
----- Inner Stack Trace -----
AzureKeyVaultSecretProvider.GetSecretValue(Uri secretUri, CancellationToken cancellationToken)
AzureKeyVaultKeyValueAdapter.ProcessKeyValue(ConfigurationSetting setting, CancellationToken cancellationToken)
未配置 Key Vault 访问。
试试打电话:
builder.AddAzureAppConfiguration(options =>
{
options.Connect(new Uri(uri), chainedCred);
options.ConfigureKeyVault(kv => kv.SetCredential(chainedCred));
}, optional: true);
chainedCred 需要针对有权访问引用的 Key Vault 的主体。
或者,如果您没有配置 Key Vault 的原因是您不想要机密,则需要设置 AzureAppConfiguration 选项,以便仅查询不引用 Key Vault 的设置。
我有一个 .NET Core 3.1 Web API 项目,我试图在其中连接 Azure App Config。我让它在其他几个 .NET Framework 项目中工作得很好,但是当我尝试在 Core 3.1 项目中实现它时,如果 App Cong only[,我能够从 App Config 读取未加密的值=25=] 包含未加密的值,但只要我的 App Config 包含 any 对 any Azure Key Vault 机密的引用,就会出现异常。
到目前为止,我只是通过 API 解决方案中的单元测试项目来证明这一点。这是代码:
namespace WebApi.Test.Integration.Settings
{
public abstract class SettingsTestBase
{
protected SettingsTestBase()
{
Environment.SetEnvironmentVariable("Azure_Tenant_Id", "my-tenant-id");
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
}
}
public class SettingsTests : SettingsTestBase
{
[Fact]
public void SettingsRequest_ReturnsValidSettings()
{
var config = GetConfiguration("https://my.keyvault.url.net");
var setting = config["my-keyvaultvalue-v1"] ?? "Hello world!";
Assert.NotNull(setting);
Assert.NotEqual(string.Empty, setting);
Assert.NotEqual("Hello world!", setting);
}
private IConfigurationRoot GetConfiguration(string uri)
{
var azureCred = new DefaultAzureCredential();
var chainedCred = new ChainedTokenCredential(azureCred);
var builder = new ConfigurationBuilder();
//The optional:true parameter for AddAzureAppConfiguration does not work, as of AzureAppConfiguration 3.0.1,
//specifically for the KeyVaultReferenceException we're experiencing. However, this would only gracefully not
//load our key vault secrets, not solve the problem we're having with retrieving secrets.
//https://github.com/Azure/AppConfiguration-DotnetProvider/issues/136
builder.AddAzureAppConfiguration(options =>
options.Connect(new Uri(uri), chainedCred), optional: true);
var config = builder.Build();
return config;
}
}
}
我目前包含的包:
Azure.Identity -v 1.1.1
Microsoft.Azure.KeyVault -v 3.0.5
Microsoft.Azure.Services.AppAuthentication -v 1.5.0
Microsoft.Extensions.Configuration.AzureAppConfiguration -v 3.0.1
Microsoft.Extensions.Configuration.AzureKeyVault -v 3.1.5
这是我 运行 测试时得到的结果:
WebApi.Test.Integration.Settings.SettingsTests.SettingsRequest_ReturnsValidSettings
Source: SettingsTests.cs
Duration: 5 sec
Message:
Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException : No key vault credential configured and no matching secret client could be found.. ErrorCode:, Key:my-keyvaultsecretvalue-v1, Label:, Etag:xxxxxxxxxxxxxxxxxxxxxxxxx, SecretIdentifier:https://my.keyvault.url.net/secrets/my-keyvaultsecretvalue-v1
---- System.UnauthorizedAccessException : No key vault credential configured and no matching secret client could be found.
Stack Trace:
AzureKeyVaultKeyValueAdapter.ProcessKeyValue(ConfigurationSetting setting, CancellationToken cancellationToken)
AzureAppConfigurationProvider.ProcessAdapters(ConfigurationSetting setting, CancellationToken cancellationToken)
AzureAppConfigurationProvider.SetData(IDictionary`2 data, CancellationToken cancellationToken)
AzureAppConfigurationProvider.LoadAll(Boolean ignoreFailures)
AzureAppConfigurationProvider.Load()
ConfigurationRoot.ctor(IList`1 providers)
ConfigurationBuilder.Build()
SettingsTests.GetConfiguration(String uri) line 91
SettingsTests.SettingsRequest_ReturnsValidSettings() line 60
----- Inner Stack Trace -----
AzureKeyVaultSecretProvider.GetSecretValue(Uri secretUri, CancellationToken cancellationToken)
AzureKeyVaultKeyValueAdapter.ProcessKeyValue(ConfigurationSetting setting, CancellationToken cancellationToken)
未配置 Key Vault 访问。
试试打电话:
builder.AddAzureAppConfiguration(options =>
{
options.Connect(new Uri(uri), chainedCred);
options.ConfigureKeyVault(kv => kv.SetCredential(chainedCred));
}, optional: true);
chainedCred 需要针对有权访问引用的 Key Vault 的主体。
或者,如果您没有配置 Key Vault 的原因是您不想要机密,则需要设置 AzureAppConfiguration 选项,以便仅查询不引用 Key Vault 的设置。