KeyVaultKeyResolver中的Azure rsaKey始终为null

Question

我通过我的MVC / Durandal网络应用程序将身份文档保存到Azure blob存储。我正在关注this示例，使用Azure密钥保管库加密Azure存储中的Blob以存储加密密钥。

这是我的代码：

    public async Task UploadIdentityDocumentForClient(string fileName, ParsedClientModel parsedClientModel)
    {
        BlobRequestOptions options = await GetBlobRequestOptions();
        await
            _storageRepository.CreateEncryptedBlobFromByteArray(_storageManager, _containerName, fileName, parsedClientModel.IdentityDocumentFile, parsedClientModel.IdentityDocumentContentType, options);
        return fileName;
    }


    private static async Task GetBlobRequestOptions()
    {
        string secretUri = WebConfigurationManager.AppSettings["SecretUri"];
        string secretName = WebConfigurationManager.AppSettings["SecretEncryptionName"];
    *1  KeyVaultKeyResolver keyVaultKeyResolver = new KeyVaultKeyResolver(GetAccessToken);

    *2  IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();
        BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsaKey, null);
        BlobRequestOptions options = new BlobRequestOptions
        {
            EncryptionPolicy = policy
        };
        return options;
    }


     public static async Task GetAccessToken(string authority, string resource, string scope)
    {
        string clientId = WebConfigurationManager.AppSettings["ClientId"];
        string clientSecret = WebConfigurationManager.AppSettings["ClientSecret"];
        ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
        AuthenticationContext authenticationContext = new AuthenticationContext(authority, TokenCache.DefaultShared);
        AuthenticationResult result = await authenticationContext.AcquireTokenAsync(resource, clientCredential);
        if (result == null)
        {
            throw new InvalidOperationException(
                "GetAccessToken - Failed to obtain the Active Directory token for application.");
        }
    *3  return result.AccessToken;
    }


    public async Task CreateEncryptedBlobFromByteArray(IStorageManager storageManager, string containerName, string fileName,
        byte[] byteArray, string contentType, BlobRequestOptions options)
    {
        CloudBlobContainer container = await CreateStorageContainerIfNotExists(storageManager, containerName);
        CloudBlockBlob blob = container.GetBlockBlobReference(fileName);
        blob.Properties.ContentType = contentType;
        await blob.UploadFromByteArrayAsync(byteArray, 0, byteArray.Length, AccessCondition.GenerateEmptyCondition(), options, new OperationContext());
    }

这一行...

    IKey rsaKey = keyVaultKeyResolver.ResolveKeyAsync($"{secretUri}/secrets/{secretName}", CancellationToken.None).GetAwaiter().GetResult();

始终返回null。

我在上面的代码中添加了断点（* 1到* 3），并注意到* 2总是在* 3之前被击中。这意味着KeyVaultKeyResolver（GetAccessToken）调用不等待GetAccessToken调用返回值。

关于我做错了什么的想法？

Answer 1

我弄清楚我做错了什么。

断点2是我应该使用此代码：

SymmetricKey sec = (SymmetricKey) cloudResolver
            .ResolveKeyAsync("https://yourkeyvault.vault.azure.net/secrets/MiplanAdminLocalEncryption",
                CancellationToken.None)
            .GetAwaiter()
            .GetResult();

我还必须使用PowerShell将秘密添加到我的Azure Key Vault。通过管理UI创建秘密不起作用。以下是我使用的命令：

对不起图片，但即使粘贴为代码示例，也不接受上述文字。

请参阅this网站了解原始示例。

我找到了一种通过Azure门户添加秘密的方法：

    //If entering via Azure UI:
    //Your secret string must be 16 characters (28 bits) long or end up being 28, 192, 256, 384, or 512 bits.
    // Base64 encode using https://www.base64encode.org/
    //Take this encoded value and enter it as the secret value in the UI.