我正在尝试在我的应用程序中实现 Azure Key Vault,以便它可以检索存储的机密以供使用。我在本地检索机密需要 12-15 秒,这在任何情况下都是不可接受的。下面是我用来访问我的密钥保管库的代码及其特定的秘密名称。
DefaultAzureCredential credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
ExcludeAzureCliCredential = true,
ExcludeAzureDeveloperCliCredential = true,
ExcludeAzurePowerShellCredential = true,
ExcludeEnvironmentCredential = true,
ExcludeInteractiveBrowserCredential = true,
ExcludeManagedIdentityCredential = false,
ExcludeSharedTokenCacheCredential = true,
ExcludeVisualStudioCodeCredential = true,
ExcludeVisualStudioCredential = false,
ExcludeWorkloadIdentityCredential = true
});
SecretClientOptions options = new SecretClientOptions()
{
Retry =
{
Delay = TimeSpan.FromMilliseconds(10),
MaxDelay = TimeSpan.FromMilliseconds(1000),
MaxRetries = 5,
Mode = RetryMode.Exponential
}
};
var client = new SecretClient(vaultUri: new Uri("my-vault-uri"), credential: credential, options: options);
KeyVaultSecret secret = isTestMode ? await client.GetSecretAsync("test-secret") : await client.GetSecretAsync("live-secret");
return secret.Value.ToString();
我目前正在使用 Visual Studio 凭据进行本地开发,并(可能)使用托管身份来部署应用程序(尽管我无法找出正确的访问配置,因此这可能是提出的另一个问题。)
还有其他人经历过这个并解决过这个问题吗?即使等待 1 秒才能检索到秘密也太慢了。
ManagedIdentityCredential
可能需要很长时间才能查询。诊断时间去向的最佳方法是跟踪和/或记录。有关详细信息,请参阅 https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/core/Azure.Core/samples/Diagnostics.md,但基本上 - 我也建议只使用a ChainedTokenCredential
如果您确切地知道自己想要什么:
using Azure.Core.Diagnostics;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
if (args.Length < 2)
{
throw new Exception($"Usage: {Environment.ProcessPath} {{vault-uri}} {{secret-name}}");
}
ChainedTokenCredential credential = new(
new ManagedIdentityCredential(options: new()
{
Diagnostics =
{
IsLoggingEnabled = true,
},
}),
new AzureCliCredential(options: new()
{
Diagnostics =
{
IsLoggingEnabled = true,
},
})
);
Uri vaultUri = new(args[0], UriKind.Absolute);
SecretClient client = new(vaultUri, credential, options: new()
{
Diagnostics =
{
IsLoggingEnabled = true,
},
});
using AzureEventSourceListener listener = AzureEventSourceListener.CreateConsoleLogger();
KeyVaultSecret secret = await client.GetSecretAsync(args[1]);
Console.WriteLine(secret.Value);
在我的开发盒上,它向标准输出写入了有用的信息,包括 4 次尝试中的每一次
ManagedIdentityToken
花费了约 3 秒(我们有意改变时间)。您可以更改 RetryOptions
的 ManagedIdentityCredential
来缩短时间或减少重试,ChainedTokenCredential
允许您这样做。
如果您知道这是一个开发环境,您也可以不添加它,从您的
isTestMode
检查中可以看出,例如:
List<TokenCredential> credentials = new(capacity: 2);
if (isTestMode)
{
credentials.Add(new ManagedIdentityCredential());
}
credentials.Add(new AzureCliCredential());
ChainedTokenCredential credential = new([.. credentials]);