从 apim 中的 azure key Vault 读取密钥

问题描述 投票:0回答:1

您好,我有一个要求,我需要在我的 apim 策略中验证 hmac。为此,hmac 机密将存储在 azure key Vault 中。以下是我在政策中将遵循的步骤

  • 从密钥库中读取密钥
  • 验证 hmac

以下是我尝试过的 apim 策略

<policies>
    <inbound>
        <base />

        <!-- Fetch HMAC key from Key Vault -->
        <set-variable name="keyVaultSecretUri" value="KV_URL/secrets/SECRET_NAME" />
        <set-variable name="keyVaultClientId" value="KV_CLIENT />
        <set-variable name="keyVaultClientSecret" value="KV_SECRET" />

        <set-variable name="request" value="@{
            var keyVaultSecretUri = context.Variables["keyVaultSecretUri"];
            var keyVaultClientId = context.Variables["keyVaultClientId"];
            var keyVaultClientSecret = context.Variables["keyVaultClientSecret"];

            return new {
                method = "GET",
                url = keyVaultSecretUri,
                headers = new {
                    Authorization = "Bearer " + FetchAccessToken(keyVaultClientId, keyVaultClientSecret)
                }
            };
        }" />

        <send-request mode="new" response-variable-name="keyVaultResponse" timeout="20" ignore-error="false">
            <set-url>@(context.Variables["request"].url)</set-url>
            <set-method>@(context.Variables["request"].method)</set-method>
            <set-header name="Authorization" exists-action="override">
                <value>@(context.Variables["request"].headers.Authorization)</value>
            </set-header>
        </send-request>

        <!-- Log Key Vault Response -->
        <trace source="keyVault" severity="information">
            <message>@(context.Variables["keyVaultResponse"].Body?.ToString())</message>
        </trace>
    </inbound>
</policies>

以下是我遇到的错误

 One or more fields contain incorrect values:
Error in element 'set-variable' on line 22, column 10: The name 'FetchAccessToken' does not exist in the current context
Error in element 'send-request' on line 36, column 10: 'object' does not contain a definition for 'url' and no extension method 'url' accepting a first argument of type 'object' could be found (are you missing a using directive or an assembly reference?)
Error in element 'trace' on line 45, column 10: 'object' does not contain a definition for 'Body' and no extension method 'Body' accepting a first argument of type 'object' could be found (are you missing a using directive or an assembly reference?)

基本上在上述策略中我只是想读取秘密并显示。我无法实现这一点。我按照以下链接作为参考https://www.svenmalvik.com/azure-apim-key-vault/。请指导如何进一步进行

azure azure-keyvault hmac policy apim
1个回答
0
投票

我只是想读取秘密并显示

要从 Key Vault 获取密钥值,您需要执行以下设置。

  1. 在 Azure APIM 中启用托管身份,如下所示。

enter image description here

  1. 使用访问策略授予对 Key Vault 中 APIM 的秘密访问权限,如下所示。

enter image description here enter image description here enter image description here enter image description here

  1. 在 APIM 中创建命名值。

enter image description here enter image description here

创建命名值后,您可以使用以下策略来获取密钥并显示该值。

<policies>
    <inbound>
        <base  />
        <set-variable  name="KeyVaultSecret"  value="{{Named value name}}"  />
        <return-response>
            <set-body>@("Key Vault Secret is: "+(context.Variables["KeyVaultSecret"])+"")</set-body>
        </return-response>
    </inbound>
</policy>

我能够获取 Key Vault 秘密值。

enter image description here

您需要使用如下

<send-request>
政策-

<send-request mode="new" response-variable-name="keyVaultResponse" timeout="60" ignore-error="true">
    <set-url>@("pass_the_url")</set-url>
    <set-method>GET</set-method>
    <set-header name="Authorization" exists-action="override">
        <value>@(context.Request.Headers.GetValueOrDefault("Authorization", ""))</value>
    </set-header>
</send-request>

您也可以参考我在这个SO-Thread中的回答。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.