保护Azure函数使用的私钥

时间:2018-11-06 16:51:01

标签: c# .net azure azure-functions azure-keyvault

我有一个Azure功能,它将文件从SFTP位置复制到Azure Blob。 建立与SFTP的连接所需的私钥/ SSH密钥现在已成为应用程序设置json的一部分-因为该解决方案仍局限于PoC /开发阶段。

在将其用于生产之前,我必须保护上述私钥。

Azure Key Vault是存储私钥的最佳候选人吗?并通过AD为Azure功能提供对该键的动态访问?

还是从Azure PaaS角度来看有替代方法?

1 个答案:

答案 0 :(得分:1)

我个人尚未从Azure功能访问Azure Key Vault的机密。我发现到目前为止,在Function App的应用程序设置中存储机密/密钥非常适合我。

但是,您可能会发现这很有用: Retrieve Azure Key Vault Secrets using Azure Functions and Managed Service Identity按照该页面上描述的步骤正确设置了保管库之后,您可以像下面这样从Function中进行访问:

using System.Net;
using System.Configuration;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.KeyVault.Models;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using Newtonsoft.Json;
using System.Text;

public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
{
    log.Info("C# HTTP trigger function processed a request.");

    SecretRequest secretRequest = await req.Content.ReadAsAsync<SecretRequest>();

    if(string.IsNullOrEmpty(secretRequest.Secret))
        return req.CreateResponse(HttpStatusCode.BadRequest, "Request does not contain a valid Secret."); 

    log.Info($"GetKeyVaultSecret request received for secret {secretRequest.Secret}");        

    var serviceTokenProvider = new AzureServiceTokenProvider();

    var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(serviceTokenProvider.KeyVaultTokenCallback));            

    var secretUri = SecretUri(secretRequest.Secret);
    log.Info($"Key Vault URI {secretUri} generated");
    SecretBundle secretValue; 
    try
    {
      secretValue = await keyVaultClient.GetSecretAsync(secretUri);
    }
    catch(KeyVaultErrorException kex)
    {
        return req.CreateResponse(HttpStatusCode.NotFound, $"{kex.Message}");
    }
    log.Info("Secret Value retrieved from KeyVault.");

    var secretResponse = new SecretResponse {Secret = secretRequest.Secret, Value = secretValue.Value};

    return new HttpResponseMessage(HttpStatusCode.OK) {
        Content = new StringContent(JsonConvert.SerializeObject(secretResponse), Encoding.UTF8, "application/json")};


}

public class SecretRequest
{
    public string Secret {get;set;}
}

public class SecretResponse
{
    public string Secret {get; set;}
    public string Value {get; set;}
}

public static string SecretUri(string secret)
{
   return $"{ConfigurationManager.AppSettings["KeyVaultUri"]}/Secrets/{secret}";
}
相关问题
最新问题