4.7.1中的Azure Key Vault Config Builder

时间:2018-12-12 15:28:03

标签: azure azure-keyvault

我们公司还不能使用.net core。我正在尝试研究如何最好地使用azure密钥保管库为我们的api应用程序服务存储配置项。

我有一个简单的webapi项目,其中包含以下global.asax文件:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Http;
using System.Web.Http.WebHost;
using System.Web.Routing;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Configuration.AzureKeyVault;

namespace kv.api
{
    public class WebApiApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            GlobalConfiguration.Configure(WebApiConfig.Register);

            LoadAzureKeyVaultSettings();
        }


        protected void LoadAzureKeyVaultSettings()
        {
            var tokenProvider = new AzureServiceTokenProvider("RunAs=CurrentUser;");

            var kvClient = new KeyVaultClient((authority, resource, scope) => tokenProvider.KeyVaultTokenCallback(authority, resource, scope));

            var builder = new ConfigurationBuilder()
                .AddAzureKeyVault("https://mykvurihere.vault.azure.net/", kvClient, new DefaultKeyVaultSecretManager());

            builder.Build();
        }
    }

}

然后我在这里有一个简单的webapi端点:

using System;
using System.Collections.Generic;
using System.Configuration;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using kv.api.Models;

namespace kv.api.Controllers
{
    public class SettingsController : ApiController
    {
        /// <summary>
        /// Method that returns all the keys out of the Configuration Manager's App Settings.  Can use this endpoint to test KeyVault integrations.
        /// </summary>
        /// <returns>List of Settings</returns>
        public IEnumerable<Setting> GetAllSettings()
        {
            var settings = ConfigurationManager.AppSettings.AllKeys
                .Select(key => new Setting()
                {
                    Key = key,
                    Value = ConfigurationManager.AppSettings[key]
                })
                .ToList();

            return settings;
        }
    }
}

它可以编译,我没有运行时异常,但是此端点没有从密钥库中产生我的配置(我确实在我的web.config中获得了appSettings)。我在这里想念什么?

---更新 看来,azure门户中报告的关键文件库指标显示我的应用程序已成功检索了机密,但未将其添加到应用程序的AppSettings中。

谢谢!

2 个答案:

答案 0 :(得分:1)

我花了很多心思来解决这个问题,因此我决定写一篇关于它的冗长博客文章,您可以找到here

简而言之,我认为,集成Key Vault配置构建器的最佳方法不是通过.NET代码,而只是通过adding Key Vault as a connected service,然后像这样在您的Web.config中进行设置:

<configuration>
  <configSections>
    <section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
  </configSections>
  <configBuilders>
    <builders>
      <add name="AzureKeyVault" vaultName="your vault's name" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=1.0.0.0, Culture=neutral" />
    </builders>
  </configBuilders>
  <appSettings configBuilders="AzureKeyVault">
    <add key="MyValue" value="Value from Web.config" />
  </appSettings>
  ...
</configuration>

然后,如果您在Key Vault和您的应用之间正确设置了身份验证,将名称为“ MyValue”的密钥添加到Key Vault,则将在运行时将其替换,您将可以从Key访问该密钥像这样在您的应用程序中放置保险柜:

ConfigurationManager.AppSettings["MyValue"]

答案 1 :(得分:0)

我找到了一个解决方案,但似乎真的没办法...在此处发布以获取反馈。我最终要做的是在ConfigurationManager.AppSettings集合中手动设置键/值,如下所示:

using System.Configuration;
using System.Web.Http;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Configuration.AzureKeyVault;
using ConfigurationBuilder = Microsoft.Extensions.Configuration.ConfigurationBuilder;

namespace kv.api
{
    public class WebApiApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            GlobalConfiguration.Configure(WebApiConfig.Register);

            LoadAzureKeyVaultSettings();
        }


        protected void LoadAzureKeyVaultSettings()
        {
           var tokenProvider = new AzureServiceTokenProvider(ConfigurationManager.AppSettings["AzureServiceTokenProviderConnectionString"]);

           var kvClient =  new KeyVaultClient(
                new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback));

            var builder = new ConfigurationBuilder()
                .AddAzureKeyVault("https://mykvurihere.vault.azure.net/", kvClient,
                    new DefaultKeyVaultSecretManager());

           var config = builder.Build();

           foreach (var keyValuePair in config.AsEnumerable())
           {
               ConfigurationManager.AppSettings.Set(keyValuePair.Key, keyValuePair.Value);
           }  
        }
    }
}
相关问题
最新问题