4.7.1中的Azure Key Vault配置构建器

问题描述 投票:1回答:2

我们不能在我的公司去.net核心。我正在尝试研究如何最好地使用azure密钥保管库来存储我们的api app服务的配置项。

我有一个简单的web api项目与这个global.asax文件:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Http;
using System.Web.Http.WebHost;
using System.Web.Routing;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Configuration.AzureKeyVault;

namespace kv.api
{
    public class WebApiApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            GlobalConfiguration.Configure(WebApiConfig.Register);

            LoadAzureKeyVaultSettings();
        }


        protected void LoadAzureKeyVaultSettings()
        {
            var tokenProvider = new AzureServiceTokenProvider("RunAs=CurrentUser;");

            var kvClient = new KeyVaultClient((authority, resource, scope) => tokenProvider.KeyVaultTokenCallback(authority, resource, scope));

            var builder = new ConfigurationBuilder()
                .AddAzureKeyVault("https://mykvurihere.vault.azure.net/", kvClient, new DefaultKeyVaultSecretManager());

            builder.Build();
        }
    }

}

然后我在这里有一个简单的web api端点:

using System;
using System.Collections.Generic;
using System.Configuration;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using kv.api.Models;

namespace kv.api.Controllers
{
    public class SettingsController : ApiController
    {
        /// <summary>
        /// Method that returns all the keys out of the Configuration Manager's App Settings.  Can use this endpoint to test KeyVault integrations.
        /// </summary>
        /// <returns>List of Settings</returns>
        public IEnumerable<Setting> GetAllSettings()
        {
            var settings = ConfigurationManager.AppSettings.AllKeys
                .Select(key => new Setting()
                {
                    Key = key,
                    Value = ConfigurationManager.AppSettings[key]
                })
                .ToList();

            return settings;
        }
    }
}

它编译,我没有运行时异常,但这个端点不会从密钥库中产生我的配置(我确实得到了我的web.config中定义的appSettings)。我在这里错过了什么?

---更新似乎天蓝门户网站中报告的密钥保管库指标显示我的应用程序正在成功检索机密,但它们未被添加到应用程序的AppSettings ...

谢谢!

azure azure-keyvault
2个回答
2
投票

我做了我的公平分享,所以我决定写一篇相当冗长的博客文章,你可以找到here

简而言之,在我看来,集成Key Vault配置构建器的最佳方式不是通过.NET代码,而是通过adding Key Vault as a connected service,然后在Web.config中进行设置,如下所示:

<configuration>
  <configSections>
    <section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
  </configSections>
  <configBuilders>
    <builders>
      <add name="AzureKeyVault" vaultName="your vault's name" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=1.0.0.0, Culture=neutral" />
    </builders>
  </configBuilders>
  <appSettings configBuilders="AzureKeyVault">
    <add key="MyValue" value="Value from Web.config" />
  </appSettings>
  ...
</configuration>

然后,如果您在密钥保管库和应用程序之间正确设置了身份验证,请在密钥保管库中添加一个名为“MyValue”的密码,它将在运行时被替换,您将能够从密钥保管库中访问密钥。应用程序如下:

ConfigurationManager.AppSettings["MyValue"]

0
投票

我找到了一个解决方案,但它看起来真的很糟糕......在这里发布以获得反馈。我最终做的是在ConfigurationManager.AppSettings集合中手动设置键/值,如下所示:

using System.Configuration;
using System.Web.Http;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Configuration.AzureKeyVault;
using ConfigurationBuilder = Microsoft.Extensions.Configuration.ConfigurationBuilder;

namespace kv.api
{
    public class WebApiApplication : System.Web.HttpApplication
    {
        protected void Application_Start()
        {
            GlobalConfiguration.Configure(WebApiConfig.Register);

            LoadAzureKeyVaultSettings();
        }


        protected void LoadAzureKeyVaultSettings()
        {
           var tokenProvider = new AzureServiceTokenProvider(ConfigurationManager.AppSettings["AzureServiceTokenProviderConnectionString"]);

           var kvClient =  new KeyVaultClient(
                new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback));

            var builder = new ConfigurationBuilder()
                .AddAzureKeyVault("https://mykvurihere.vault.azure.net/", kvClient,
                    new DefaultKeyVaultSecretManager());

           var config = builder.Build();

           foreach (var keyValuePair in config.AsEnumerable())
           {
               ConfigurationManager.AppSettings.Set(keyValuePair.Key, keyValuePair.Value);
           }  
        }
    }
}
© www.soinside.com 2019 - 2024. All rights reserved.