Azure存储客户端加密

时间:2019-01-02 17:15:47

标签: c# encryption azure-storage azure-keyvault

我正在尝试使用Azure存储帐户测试客户端加密。到目前为止,我已经创建了一个资源组,并将我的KeyVault,注册的应用程序放置在Active Directory上,并且在我的keyVault中创建了一个秘密。

我认为我无法将我的机密映射到我的存储帐户,但我认为如果它们在同一资源组中,它们应该可以工作。

enter image description here 

$key = "qwertyuiopasdfgh"
$b = [System.Text.Encoding]::UTF8.GetBytes($key)
$enc = [System.Convert]::ToBase64String($b)
$secretvalue = ConvertTo-SecureString $enc -AsPlainText -Force

$secret = Set-AzureKeyVaultSecret -VaultName 'ectotecStorageKeyVault' -Name 'ectotecSecret' -SecretValue $secretvalue -ContentType "application/octet-stream"

![enter image description here

问题是我收到无效的机密,错误代码如下:

namespace cifradoApp

{

class Program

    {

    private async static Task<string> GetToken(string authority, string resource, string scope)
    {
        var authContext = new AuthenticationContext(authority);
        ClientCredential clientCred = new ClientCredential(
            ConfigurationManager.AppSettings["clientId"],
            ConfigurationManager.AppSettings["clientSecret"]);
        AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);

        if (result == null)
            throw new InvalidOperationException("Failed to obtain the JWT token");

        return result.AccessToken;
    }

    static void Main(string[] args)
    {





        // This is standard code to interact with Blob storage.
        StorageCredentials creds = new StorageCredentials(
           ConfigurationManager.AppSettings["accountName"],
           ConfigurationManager.AppSettings["accountKey"]
        );

        CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true);
        CloudBlobClient client = account.CreateCloudBlobClient();
        CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]);
        contain.CreateIfNotExists();

        // The Resolver object is used to interact with Key Vault for Azure Storage.
        // This is where the GetToken method from above is used.
        KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);


        // Retrieve the key that you created previously.
        // The IKey that is returned here is an RsaKey.
        // Remember that we used the names contosokeyvault and testrsakey1.
        var rsa = cloudResolver.ResolveKeyAsync("https://ectotecstoragekeyvault.vault.azure.net/secrets/ectotecSecret/dee97a40c78a4638bbb3fa0d3e13f75e", CancellationToken.None).GetAwaiter().GetResult();

        // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.
        BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);
        BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };

        // Reference a block blob.
        CloudBlockBlob blob = contain.GetBlockBlobReference("BlobPruebaEncrypted.txt");

        // Upload using the UploadFromStream method.
        using (var stream = System.IO.File.OpenRead(@"C:\Users\moise\Desktop\ectotec stuff\Visual Studio\azureStorageSample\container\BlobPrueba.txt"))
        blob.UploadFromStream(stream, stream.Length, null, options, null);



    }







}
}

我的应用程序设置似乎运行良好,因为我之前仅使用我的帐户和访问存储帐户的密钥进行验证,因为我在不尝试进行客户端加密的情况下进行了测试,所以一切正常。问题似乎来自秘密。

当我尝试将某些内容上传到我的存储帐户容器(BLOB)时出错

AdalException:{“ error”:“ invalid_client”,“ error_description”:“ AADSTS70002:验证凭据时出错。AADSTS50012:提供了无效的客户端机密。\ r \ n跟踪ID:52047a12-b950-4d8a-9206-120e383feb00 \ r \ n相关ID:e2ad8afe-4272-49aa-94c0-5dad435ffc45 \ r \ n时间戳:2019-01-02 17:10:3​​2Z“,”错误代码“:[70002,50012],”时间戳“:” 2019-01-02 17:10:3​​2Z“,” trace_id“:” 52047a12-b950-4d8a-9206-120e383feb00“,” correlation_id“:” e2ad8afe-4272-49aa-94c0-5dad435ffc45“}:未知错误

<appSettings>
  <add key="accountName" value="sampleExample"/>
  <add key="accountKey" value="KeyForMyApp"/>
  <add key="clientId" value="app-id"/>
  <add key="clientSecret" value="qwertyuiopasdfgh"/>
  <add key="container" value="ectotec-sample2"/>
</appSettings>

我正在尝试复制本教程中的示例:

https://docs.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault

1 个答案:

答案 0 :(得分:2)

您需要确保已授予您的应用程序读取密钥的权限。这与Key Vault的RBAC权限是分开的。

为此,请浏览门户中的Key Vault,在左侧菜单上,您会看到一个设置部分,然后在此处的一个名为“访问策略”的项目上单击它。

Access Policies

然后,您想单击“添加新”按钮。在打开的窗口中,单击“选择主体”部分,然后输入要访问的应用程序的名称或应用程序ID。为密钥,机密或证书选择适当的权限,然后单击“确定”。

这将带您回到授权用户列表,请确保单击左上角的“保存”(显然您不需要这样做),然后您的应用程序应该可以访问。

相关问题
最新问题