我无法从Azure密钥库访问机密.我怀疑问题在于我对术语没有足够的了解,因此我提供给各种API调用的参数是错误的.
I am having trouble accessing a secret from an Azure key vault. I suspect the problem is that I don't adequately understand the terminology, so the arguments I'm supplying to various API calls are wrong.
这是我正在使用的基本代码:
Here's the basic code I'm using:
protected async Task<string> GetCommunityKeyAsync( UserConfiguration user ) { var client = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback( GetAccessTokenAsync ), new HttpClient() ); // user.VaultUrl is the address of my key vault // e.g., previously-created-vault.vault.azure var secret = await client.GetSecretAsync( user.VaultUrl, "key-to-vault-created-in-azure-portal" ); return secret.Value; } private async Task<string> GetAccessTokenAsync( string authority, string resource, string scope ) { var context = new AuthenticationContext( authority, TokenCache.DefaultShared ); // this line throws a "cannot identify user exception; see // below for details var result = await context.AcquireTokenAsync( resource, "id-of-app-registered-via-azure-portal", new UserCredential() ); return result.AccessToken; }这里是抛出异常:
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException HResult = 0x80131500消息= unknown_user:无法识别已记录 在用户Source = Microsoft.IdentityModel.Clients.ActiveDirectory 中 StackTrace:位于 Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenNonInteractiveHandler.d__4.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处 在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务) Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__57.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处 在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务) Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__37.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处 在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务) Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.d__0.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处 在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务),位于System.Runtime.CompilerServices.TaskAwaiter 1.GetResult() at NextDoorScanner.ScannerJob.<GetAccessTokenAsync>d__21.MoveNext() in C:\Programming\CommunityScanner\CommunityScanner\ScannerJob.cs:line 197 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable 1.ConfiguredTaskAwaiter.GetResult() 在 Microsoft.Azure.KeyVault.KeyVaultCredential.d__9.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处 在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务) System.Runtime.CompilerServices.ConfiguredTaskAwaitable 1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultCredential.<ProcessHttpRequestAsync>d__10.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable 1.ConfiguredTaskAwaiter.GetResult() 在 Microsoft.Azure.KeyVault.KeyVaultClientExtensions.d__11.MoveNext() 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()处 在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务)在System.Runtime.CompilerServices.TaskAwaiter 1.GetResult() at NextDoorScanner.ScannerJob.<GetCommunityKeyAsync>d__20.MoveNext() in C:\Programming\CommunityScanner\CommunityScanner\ScannerJob.cs:line 188 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter 1.GetResult() 在NextDoorScanner.NextDoorScannerJob.d__4.MoveNext()中 C:\ Programming \ CommunityScanner \ CommunityScanner \ NextDoorScannerJob.cs:line 46时 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()在 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任务 任务),位于System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() 在NextDoorScanner.Program.Main(String [] args)中 C:\ Programming \ CommunityScanner \ CommunityScanner \ Program.cs:第22行
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException HResult=0x80131500 Message=unknown_user: Could not identify logged in user Source=Microsoft.IdentityModel.Clients.ActiveDirectory StackTrace: at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenNonInteractiveHandler.d__4.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__57.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__37.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.d__0.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at NextDoorScanner.ScannerJob.<GetAccessTokenAsync>d__21.MoveNext() in C:\Programming\CommunityScanner\CommunityScanner\ScannerJob.cs:line 197 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultCredential.d__9.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultCredential.<ProcessHttpRequestAsync>d__10.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.d__11.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at NextDoorScanner.ScannerJob.<GetCommunityKeyAsync>d__20.MoveNext() in C:\Programming\CommunityScanner\CommunityScanner\ScannerJob.cs:line 188 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at NextDoorScanner.NextDoorScannerJob.d__4.MoveNext() in C:\Programming\CommunityScanner\CommunityScanner\NextDoorScannerJob.cs:line 46 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() at NextDoorScanner.Program.Main(String[] args) in C:\Programming\CommunityScanner\CommunityScanner\Program.cs:line 22
我进行了一些配置,我认为涉及通过powershell将桌面注册为Azure用户:
I did some configuration, I thought involving registering my desktop as an Azure user, via powershell:
Login-AzureRmAccount // as I recall, this next line complained about the app ID already being defined New-AzureRmADServicePrincipal -ApplicationId 'id-of-app-previously-defined-via-azure-portal' Set-AzureRmKeyVaultAccessPolicy -VaultName 'vault-name' -ServicePrincipalName id-of-app-previously-defined-via-azure-portal -PermissionsToSecrets Get
我不清楚是否应该向GetSecretAsync()提供保管库密钥.我还想知道我是否应该做其他事情,而不是将新创建的UserCredential传递给AcquireTokenAsync().最后,我在网上看到了有关创建用于密钥保管库的存储帐户的参考,虽然我做过,但是我没有创建我在存储帐户"中使用的保管库.而且我没有在代码中标识存储帐户.
I'm unclear if I'm supposed to be providing the vault key to GetSecretAsync(). I also wonder if I'm supposed to be doing something other than passing a newly-created UserCredential to AcquireTokenAsync(). Finally, I see references online to creating a storage account for use with key vaults, which I did, but I didn't create the vault I'm using "in" a storage account. And I'm not identifying the storage account in the code.
可以提供帮助,也可以参考一个很好的示例,它可以从控制台桌面应用访问密钥库.
Help, or a reference to a really good example accessing key vaults from a console desktop app would be appreciated.
推荐答案Mark的博客非常有帮助,我从该博客中学到了如何做,下面是截至2018年11月6日的步骤和代码.
Mark's blog was extremely helpful, from that blog I learnt how to do it and below are the steps and code as of 6-Nov-2018.
步骤摘要:
通过代码访问它们
using Microsoft.Azure.KeyVault; using Microsoft.IdentityModel.Clients.ActiveDirectory; using System; using System.Collections.Generic; using System.Linq; using System.Net.Http; using System.Text; using System.Threading.Tasks; namespace Experiments.AzureKeyValut { internal class AzureKeyValueDemo { private static async Task Main(string[] args) { await GetSecretAsync("YOURVAULTNAME.vault.azure/", "YourSecretKey"); } private static async Task<string> GetSecretAsync(string vaultUrl, string vaultKey) { var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient()); var secret = await client.GetSecretAsync(vaultUrl, vaultKey); return secret.Value; } private static async Task<string> GetAccessTokenAsync(string authority, string resource, string scope) { //DEMO ONLY //Storing ApplicationId and Key in code is bad idea :) var appCredentials = new ClientCredential("YourApplicationId", "YourApplicationKey"); var context = new AuthenticationContext(authority, TokenCache.DefaultShared); var result = await context.AcquireTokenAsync(resource, appCredentials); return result.AccessToken; } } }如何注册您的应用:
如何创建Azure应用的密码并获取应用的ID
如何创建Azure密钥保管库和分配权限
如何创建Azure机密
如何通过代码访问它
更多推荐
无法从桌面控制台应用程序访问Azure Key Vault
发布评论