在 .Net Core 中加载 Azure Key Vault Secrets 更好吗?
What is better was to load Azure Key Vault Secrets in .Net Core?
我们已将连接字符串值存储在 Azure Key Vault 中。我已经阅读了两种从我的 .net 核心应用程序中获取秘密值的方法。
一种是使用以下代码在 ConfigurationManager 中加载所有机密:
var keyVaultUrl = builder.Configuration["KeyVaultUrl"];
builder.Host.ConfigureAppConfiguration(builder =>
{
builder.AddAzureKeyVault(new Uri(keyVaultUrl), new DefaultAzureCredential());
});
其他方法是使用以下代码并获取秘密值:
string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
var kvUri = "https://" + keyVaultName + ".vault.azure.net";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
var secret = await client.GetSecretAsync(secretName);
将这些值保存在静态 class 中,并在需要时在整个应用程序中使用。
哪个选项更适合什么情况。
还提供一些有关重新加载秘密值(如果更改)的输入。
我的应用程序中只有几个秘密
虽然这两种场景都可以重用获取值的方式,但我确实有个人偏好:使用第一个选项。
这种方法的一大优点是可以通过 IConfiguration
检索值。这意味着在应用程序的其余部分,开发人员甚至不必知道值从何而来。他们可以从 IConfiguration
获取设置,无论设置的来源如何。使用第二种方法,从 Key Vault 获取值的代码仍然可重用,但开发人员需要知道从何处获取值。
就重新加载而言:看看传入 AzureKeyVaultConfigurationOptions
的实例。这有一个 ReloadInterval
属性,这是一个 ...
TimeSpan
to wait between attempts at polling the key vault for changes. The default value is null
(configuration isn't reloaded).
来源:Azure Key Vault configuration provider in ASP.NET Core - Configuration options
一个更丰富的解决方案是结合应用程序配置和 Key Vault,使您能够 Reload secrets and certificates from Key Vault automatically。
App Configuration and Key Vault are complementary services used side by side in many applications. App Configuration helps you use the services together by creating keys in your App Configuration store that reference secrets or certificates stored in Key Vault. Since Key Vault stores the public and private key pair of a certificate as a secret, your application can retrieve any certificate as a secret from Key Vault.
As a good security practice, secrets and certificates should be rotated periodically. Once they have been rotated in Key Vault, you would want your application to pick up the latest secret and certificate values. There are two ways to achieve this without restarting your application:
- Update a sentinel key-value to trigger the refresh of your entire configuration, thereby reloading all Key Vault secrets and certificates. For more information, see how to use dynamic configuration in an ASP.NET Core app.
- Periodically reload some or all secrets and certificates from Key Vault.
我们已将连接字符串值存储在 Azure Key Vault 中。我已经阅读了两种从我的 .net 核心应用程序中获取秘密值的方法。 一种是使用以下代码在 ConfigurationManager 中加载所有机密:
var keyVaultUrl = builder.Configuration["KeyVaultUrl"];
builder.Host.ConfigureAppConfiguration(builder =>
{
builder.AddAzureKeyVault(new Uri(keyVaultUrl), new DefaultAzureCredential());
});
其他方法是使用以下代码并获取秘密值:
string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
var kvUri = "https://" + keyVaultName + ".vault.azure.net";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
var secret = await client.GetSecretAsync(secretName);
将这些值保存在静态 class 中,并在需要时在整个应用程序中使用。
哪个选项更适合什么情况。
还提供一些有关重新加载秘密值(如果更改)的输入。
我的应用程序中只有几个秘密
虽然这两种场景都可以重用获取值的方式,但我确实有个人偏好:使用第一个选项。
这种方法的一大优点是可以通过 IConfiguration
检索值。这意味着在应用程序的其余部分,开发人员甚至不必知道值从何而来。他们可以从 IConfiguration
获取设置,无论设置的来源如何。使用第二种方法,从 Key Vault 获取值的代码仍然可重用,但开发人员需要知道从何处获取值。
就重新加载而言:看看传入 AzureKeyVaultConfigurationOptions
的实例。这有一个 ReloadInterval
属性,这是一个 ...
TimeSpan
to wait between attempts at polling the key vault for changes. The default value isnull
(configuration isn't reloaded).
来源:Azure Key Vault configuration provider in ASP.NET Core - Configuration options
一个更丰富的解决方案是结合应用程序配置和 Key Vault,使您能够 Reload secrets and certificates from Key Vault automatically。
App Configuration and Key Vault are complementary services used side by side in many applications. App Configuration helps you use the services together by creating keys in your App Configuration store that reference secrets or certificates stored in Key Vault. Since Key Vault stores the public and private key pair of a certificate as a secret, your application can retrieve any certificate as a secret from Key Vault.
As a good security practice, secrets and certificates should be rotated periodically. Once they have been rotated in Key Vault, you would want your application to pick up the latest secret and certificate values. There are two ways to achieve this without restarting your application:
- Update a sentinel key-value to trigger the refresh of your entire configuration, thereby reloading all Key Vault secrets and certificates. For more information, see how to use dynamic configuration in an ASP.NET Core app.
- Periodically reload some or all secrets and certificates from Key Vault.