如何使用托管身份访问 asp.net 核心 dockerize 应用程序的 Azure Key Vault

how to access azure key vault for asp.net core dockerize app using managed identity

我正在创建一个 asp.net 核心网络应用程序,在 Visual studio 中,我 在尝试获取以下代码时没有任何问题使用托管标识的 Azure 密钥保管库。

public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureAppConfiguration((context, config) =>
            {
                config.AddAzureKeyVault(new AzureKeyVaultConfigurationOptions
                {
                    Vault = "https://testvaultXYZ.vault.azure.net/",
                    Client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(new AzureServiceTokenProvider().KeyVaultTokenCallback)),
                });
            })
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
            });

现在我在 docker/container 中将此应用程序添加到 运行 现在,当我 运行 在本地容器中安装此应用程序时,上面的代码出现以下错误,

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: 'Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxxx. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxx. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxx. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxxxx. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory

我了解 运行在 docker 容器中时用户不同。这里的解决方案是什么?

我看到了一些使用以下命令获取访问令牌的解决方案,

$Env:ACCESS_TOKEN=(az account get-access-token  --resource=https://testvaultXYZ.vault.azure.net | ConvertFrom-Json).accessToken

但这里也出现错误,如

Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://testvaultXYZ.vault.azure.net was not found in the tenant named XXXXXXX. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.

要使用 get-access-token 的解决方法:

  1. 确保您已登录到 azure cli,只需 运行 在终端中输入命令 az account get-access-token ... 并检查您是否能够获取令牌;您使用正确的租户和订阅吗?
  2. 在终端会话中将结果保存到环境变量
  3. 将此变量作为环境变量传递给 docker run --env KVTOKEN=$Env ... 命令
  4. 不要忘记在应用程序中读取此变量并将其传递给 KeyVaultClient 构造函数:
var token = Environment.GetEnvironmentVariable("KVTOKEN");
KeyVaultClient kvclient = string.IsNullOrEmpty(token) ? new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(new AzureServiceTokenProvider().KeyVaultTokenCallback)) : new KeyVaultClient((authority, resource, scope) => token);

应该是:az account get-access-token --resource=https://vault.azure.net。然后你得到你可以使用的访问令牌:)这对我有用。