检索Azure数据工厂服务身份应用程序ID

时间:2018-08-31 13:43:54

标签: c# azure-active-directory azure-data-factory azure-keyvault azure-data-factory-2

我已经使用C#代码创建了一个Data Factory和Key Vault,我想设置Key Vault的访问策略。 为此,我想要使用C#代码的数据工厂“服务身份应用程序ID” (在附加的图像中以红色突出显示)。 我该怎么办?

3 个答案:

答案 0 :(得分:0)

如果您想获取带有应用程序ID的访问令牌,希望this doc可以提供帮助。

答案 1 :(得分:0)

是的,您可以通过C#代码执行此操作。

这是我编写的一个快速示例代码,用于从C#代码获取服务身份应用程序ID。

先决条件是从软件包管理器控制台(工具-> NuGet软件包管理器->软件包管理器控制台)安装以下软件包:

Install-Package Microsoft.Azure.Management.DataFactory -Prerelease
Install-Package Microsoft.Azure.Management.ResourceManager -Prerelease
Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory

安装软件包后,请使用下面的代码

using System;
using Microsoft.Rest;
using Microsoft.Azure.Management.ResourceManager;
using Microsoft.Azure.Management.DataFactory;
using Microsoft.IdentityModel.Clients.ActiveDirectory;

namespace GetDataFactory
{
    class Program
    {
        static void Main(string[] args)
        {

            // Set variables
            string tenantID = "<your tenant ID>";
            string applicationId = "<your application ID>";
            string authenticationKey = "<your authentication key for the application>";
            string subscriptionId = "<your subscription ID where the data factory resides>";
            string resourceGroup = "<your resource group where the data factory resides>";
            string dataFactoryName = "<specify the name of data factory to create. It must be globally unique.>";

            // Authenticate and create a data factory management client
            var context = new AuthenticationContext("https://login.windows.net/" + tenantID);
            ClientCredential cc = new ClientCredential(applicationId, authenticationKey);
            AuthenticationResult result = context.AcquireTokenAsync("https://management.azure.com/", cc).Result;
            ServiceClientCredentials cred = new TokenCredentials(result.AccessToken);
            var client = new DataFactoryManagementClient(cred) { SubscriptionId = subscriptionId };

            var myFactory = client.Factories.Get(resourceGroup, dataFactoryName);

            //Getting principal Id as you mentioned in question, but you can get more information from the Identity object as per your need.
            Guid? principalId = myFactory.Identity.PrincipalId;

        }
    }
}

一旦拥有所有身份信息,就可以更新密钥库的访问策略,以向应用程序提供所需的权限(例如列出密钥,获取/列出机密等)(在图像中突出显示了其ID)

  1. 使用KeyVaultManagementClient类-

    https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.keyvault.keyvaultmanagementclient?view=azure-dotnet

    https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.keyvault.vaultsoperationsextensions.updateaccesspolicy?view=azure-dotnet

  2. 使用Fluent API-

    在Github上查看此示例-https://github.com/Azure-Samples/key-vault-dotnet-manage-key-vaults 

            Utilities.Log("Authorizing the application associated with the current service principal...");

        vault1 = vault1.Update()
                .DefineAccessPolicy()
                    .ForServicePrincipal(SdkContext.AzureCredentialsFactory.FromFile(Environment.GetEnvironmentVariable("AZURE_AUTH_LOCATION")).ClientId)
                    .AllowKeyAllPermissions()
                    .AllowSecretPermissions(SecretPermissions.Get)
                    .AllowSecretPermissions(SecretPermissions.List)
                    .Attach()
                .Apply();

        Utilities.Log("Updated key vault");
        Utilities.PrintVault(vault1);

        //============================================================
        // Update a key vault

        Utilities.Log("Update a key vault to enable deployments and add permissions to the application...");

        vault1 = vault1.Update()
                .WithDeploymentEnabled()
                .WithTemplateDeploymentEnabled()
                .UpdateAccessPolicy(vault1.AccessPolicies[0].ObjectId)
                    .AllowSecretAllPermissions()
                    .Parent()
                .Apply();

        Utilities.Log("Updated key vault");
        // Print the network security group
        Utilities.PrintVault(vault1);

  3. 使用Rest API

    https://docs.microsoft.com/en-us/rest/api/keyvault/vaults/updateaccesspolicy

答案 2 :(得分:0)

如果要检索现有ADF的应用程序ID,则需要进行两次旅行。

首先是检索资源管理器的服务标识。 @rohit的第一个代码块在c#中执行此操作。这将检索主体的对象ID,而不是作为该对象属性的应用程序ID。

第二个是通过RM从活动目录中检索应用程序ID。然后,您可以使用它来分配访问策略。例如,在powershell中,您可以这样做:

第一步:

$principal = (Get-AzureRmDataFactoryV2 -ResourceGroupName "yourRG" -Name yourADF).identity.PrincipalId

然后第二步... 

$appId = (Get-AzureRmADServicePrincipal -ObjectId $principal).ApplicationId

应该很容易从中找出c#等价物。

相关问题
最新问题