使用Azure API管理读取策略中的关键保管库值

时间:2019-07-17 15:49:04

标签: azure azure-api-management azure-keyvault

是否可以读取保存在Key Vault中的值或“命名值”中的Key Vaulted值?

已在APIM中启用了托管身份,并在Key Vault中创建了Secrete。

<policies>
    <inbound>
        <base />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error:" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
            <openid-config url="https://xxx" />
            <audiences>
                <audience>read it from Key Vault, or KeyValted value in Named Values</audience>
            </audiences>
            <issuers>
                <issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
            </issuers>
        </validate-jwt>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

下面的链接似乎相关,但是我想知道是否有更简单的代码,例如用于Azure Functions的一行代码。

https://madeofstrings.com/2019/06/13/azure-api-management-key-vault-and-managed-identities/

https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-use-managed-service-identity

1 个答案:

答案 0 :(得分:1)

我们不能使用相同的方法来通过Azure功能获取Azure密钥保险库密钥。我们需要使用MSI来获取访问令牌,然后使用密钥库api来获取令牌的秘密。有关更多详细信息,请参阅documentlink

  1. 配置MSI

enter image description here

2。在Azure Key Vault中设置访问策略

  Set-AzKeyVaultAccessPolicy -VaultName "your valut name" -ResourceGroupName "your group name" -ObjectId "the principal id you copy" -PermissionsToSecrets get, list, set, delete
  1. 配置策略

<send-request mode="new" response-variable-name="responseObj" timeout="30" ignore-error="true">
           <set-url>https://YOUR_KV_HOST/secrets/SEC_NAME/SEC_ID?api-version=7.0</set-url>
           <set-method>GET</set-method>
           <authentication-managed-identity resource="https://vault.azure.net" />
</send-request>
//with this process done , response obj will be setted into context . 

<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Error:" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
            <openid-config url="https://xxx" />
            <audiences>
                <audience>@((string)((IResponse)context.Variables["responseObj"]).Body.As<JObject>()["value"])</audience>
//Get value from responeObj in context
            </audiences>
            <issuers>
                <issuer>https://openid-connect-eu.onelogin.com/oidc</issuer>
            </issuers>
</validate-jwt>

相关问题
最新问题