我将使用On Premise Web应用程序中的Azure Vault Secret。
我创建了一个带有密钥的密钥保管库,但在访问策略中,我应该指定一个授权应用程序,并在示例中使用Azure WebApp。
我想要使用内部MVC网络应用程序中的秘密:shoud我没有指定任何内容并且它有效吗?我自己指定了Azure Vault和Principal,但我不确定这是否正确。
答案 0 :(得分:1)
Well, something will need to authenticate to access the secret. Either the current user, or you can use a service principal.
Since we are talking about an MVC app, the service principal is probably easier. You will need to register a new app in Azure Active Directory via the Azure Portal. Find Azure AD, and register a new app via App registrations.
The name and URLs don't really matter, but it needs to be of type Web app/API.
The sign-on URL can be https://localhost for example.
Then add a key in the Keys blade to the app (click Settings after the app is created, then Keys).
Copy the client id (application id) and the key somewhere.
Now you can go to your Key Vault, and create a new access policy, and choose the app you created as the principal. Give it the rights you want, like Secrets -> Get. Then you can save the policy.
In your app, you can then use the Key Vault library + ADAL like so:
var kvClient = new KeyVaultClient(async (authority, resource, scope) =>
{
var context = new AuthenticationContext(authority);
var credential = new ClientCredential("client-id-here", "key-here");
AuthenticationResult result = await context.AcquireTokenAsync(resource, credential);
return result.AccessToken;
});
SecretBundle secret = await kvClient.GetSecretAsync("https://yourvault.vault.azure.net/", "secret-name");
string secretValue = secret.Value;