从Azure Service Fabric中托管的ASP.NET Core应用程序访问Azure Key Vault

时间:2017-04-27 08:13:31

标签: azure-service-fabric

在我当前的ASP.NET Core项目中,我使用Azure Active Directory身份验证和X509Certificate来访问Key Vault。需要在计算机上安装证书,以允许应用程序访问它,最后从Key Vault读取值。现在我正致力于将此应用程序迁移到Azure Service Fabric。我已通过添加以下内容将证书上传到Key Vault,修改了ARM模板:

"osProfile": {
    "secrets": [
        {
          "sourceVault": {
            "id": "{KeyVaultIdHere}"
          },
          "vaultCertificates": [
            {
              "certificateUrl": "{CertificateUrlHere}",
              "certificateStore": "My"
            }
          ]
        }
      ]
},

但是当我将我的应用程序部署到Azure Service Fabric时,似乎它无法访问证书。我是否正确理解当我使用此类ARM模板创建群集时,LocalMachine\My商店中正在安装证书?如果是,是否可能,运行应用程序的操作系统用户无法访问ceritficate的私钥?当我在本地计算机上运行集群时,我必须向ASF本地集群用户授予特殊权限才能读取私钥。也许在Azure上需要为ASF做同样的事情?怎么办?提前谢谢。

2 个答案:

答案 0 :(得分:1)

好的,所以解决方案是修改ARM模板,使其能够访问NETWORK SERVICE用户的证书私钥。要做到这一点,需要编写适当的PowerShell(如此处:https://social.technet.microsoft.com/Forums/windowsserver/en-US/1557e379-26a8-46d0-bf26-d32176395085/how-to-grant-permission-to-private-key-from-powershell?forum=winserverpowershell)并在ARM模板(CustomScriptExtension)中附加virtualMachineProfile/extensionProfile/extensions。它只能在ARM部署期间完成,因为由于某种原因,Administrators仅对通过ARM模板安装的证书具有Read访问权限。

答案 1 :(得分:1)

以下是我的某个应用程序中的一个应用程序清单。

<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="S-Innovations.ServiceFabric.GatewayApplicationType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
  <Parameters>
    <Parameter Name="GatewayService_InstanceCount" DefaultValue="-1" />
    <Parameter Name="AzureADServicePrincipal" DefaultValue="" />
    <Parameter Name="TenantId" DefaultValue="" />
    <Parameter Name="ApplicationStorageAccountId" DefaultValue="" />
    <Parameter Name="AzureResourceManagerCertThumbrint" DefaultValue="C03BB5A6410741CDD2927B4FF88C3E67215A393B" />
    <Parameter Name="Azure.KeyVault.Uri" DefaultValue="https://earthml-core-k3ci.vault.azure.net/" />
    <Parameter Name="ASPNETCORE_ENVIRONMENT" DefaultValue="Development" />
  </Parameters>
  <!-- Import the ServiceManifest from the ServicePackage. The ServiceManifestName and ServiceManifestVersion 
       should match the Name and Version attributes of the ServiceManifest element defined in the 
       ServiceManifest.xml file. -->
  <ServiceManifestImport>
    <ServiceManifestRef ServiceManifestName="S-Innovations.ServiceFabric.GatewayServicePkg" ServiceManifestVersion="1.0.0" />
    <ConfigOverrides>
      <ConfigOverride Name="Config">
        <Settings>
          <Section Name="AzureResourceManager">
            <Parameter Name="AzureADServicePrincipal" Value="[AzureADServicePrincipal]" IsEncrypted="true" />
            <Parameter Name="TenantId" Value="[TenantId]" />
            <Parameter Name="ApplicationStorageAccountId" Value="[ApplicationStorageAccountId]" />
            <Parameter Name="Azure.KeyVault.Uri" Value="[Azure.KeyVault.Uri]" />
          </Section>
        </Settings>
      </ConfigOverride>
    </ConfigOverrides>
    <EnvironmentOverrides CodePackageRef="Code">
      <EnvironmentVariable Name="ASPNETCORE_ENVIRONMENT" Value="[ASPNETCORE_ENVIRONMENT]" />
    </EnvironmentOverrides>
    <Policies>
      <RunAsPolicy CodePackageRef="Code" UserRef="Admin" EntryPointType="All" />
    </Policies>
  </ServiceManifestImport>
  <DefaultServices>
    <!-- The section below creates instances of service types, when an instance of this 
         application type is created. You can also create one or more instances of service type using the 
         ServiceFabric PowerShell module.

         The attribute ServiceTypeName below must match the name defined in the imported ServiceManifest.xml file. -->
    <Service Name="GatewayService">
      <StatelessService ServiceTypeName="GatewayServiceType" InstanceCount="[GatewayService_InstanceCount]">
        <SingletonPartition />
      </StatelessService>
    </Service>
    <Service Name="GatewayServiceManagerActorService" GeneratedIdRef="ef5ab963-c061-486e-bb1c-84bf1c2fc7e1|Persisted">
      <StatefulService ServiceTypeName="GatewayServiceManagerActorServiceType">
        <UniformInt64Partition PartitionCount="2" LowKey="-9223372036854775808" HighKey="9223372036854775807" />
      </StatefulService>
    </Service>
  </DefaultServices>
  <Principals>
    <Users>
      <User Name="Service1" AccountType="NetworkService" />
      <User Name="Admin">
        <MemberOf>
          <SystemGroup Name="Administrators" />
        </MemberOf>
      </User>
    </Users>
  </Principals>
  <Policies>
    <SecurityAccessPolicies>
      <SecurityAccessPolicy ResourceRef="MyCert" PrincipalRef="Service1" ResourceType="Certificate" />
    </SecurityAccessPolicies>
  </Policies>
  <Certificates>
    <SecretsCertificate X509FindValue="[AzureResourceManagerCertThumbrint]" Name="MyCert" />
  </Certificates>
</ApplicationManifest>

我一直在使用它而没有提到任何问题,即应用程序无法访问证书。也许这可以帮助您简化您的手臂脚本:)

相关问题
最新问题