1

我有一个 .NET Core 3.1 Web API 项目,我正在尝试连接 Azure App Config。我让它在其他几个 .NET Framework 项目中工作得很好,但是当我尝试在 Core 3.1 项目中实现它时,如果 App Cong只包含未加密的值,我可以从 App Config 中读取未加密的值,但是得到每当我的应用程序配置包含对任何Azure Key Vault 机密的任何引用时都会出现异常。

到目前为止,我只是通过 API 解决方案中的单元测试项目来证明这一点。这是代码:

namespace WebApi.Test.Integration.Settings
{
    public abstract class SettingsTestBase
    {
        protected SettingsTestBase()
        {
            Environment.SetEnvironmentVariable("Azure_Tenant_Id", "my-tenant-id");

            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
        }
    }
    
    public class SettingsTests : SettingsTestBase
    {
        [Fact]
        public void SettingsRequest_ReturnsValidSettings()
        {
            var config = GetConfiguration("https://my.keyvault.url.net");

            var setting = config["my-keyvaultvalue-v1"] ?? "Hello world!";

            Assert.NotNull(setting);
            Assert.NotEqual(string.Empty, setting);
            Assert.NotEqual("Hello world!", setting);
        }

        private IConfigurationRoot GetConfiguration(string uri)
        {
            var azureCred = new DefaultAzureCredential();
            var chainedCred = new ChainedTokenCredential(azureCred);
            var builder = new ConfigurationBuilder();

            //The optional:true parameter for AddAzureAppConfiguration does not work, as of AzureAppConfiguration 3.0.1, 
            //specifically for the KeyVaultReferenceException we're experiencing. However, this would only gracefully not
            //load our key vault secrets, not solve the problem we're having with retrieving secrets.
            //https://github.com/Azure/AppConfiguration-DotnetProvider/issues/136
            builder.AddAzureAppConfiguration(options =>
                options.Connect(new Uri(uri), chainedCred), optional: true);

            var config = builder.Build();

            return config;
        }
    }
}

到目前为止我已经包含的包:

Azure.Identity -v 1.1.1
Microsoft.Azure.KeyVault -v 3.0.5
Microsoft.Azure.Services.AppAuthentication -v 1.5.0
Microsoft.Extensions.Configuration.AzureAppConfiguration -v 3.0.1
Microsoft.Extensions.Configuration.AzureKeyVault -v 3.1.5

这是我运行测试时得到的结果:

 WebApi.Test.Integration.Settings.SettingsTests.SettingsRequest_ReturnsValidSettings
   Source: SettingsTests.cs
   Duration: 5 sec

  Message: 
    Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException : No key vault credential configured and no matching secret client could be found.. ErrorCode:, Key:my-keyvaultsecretvalue-v1, Label:, Etag:xxxxxxxxxxxxxxxxxxxxxxxxx, SecretIdentifier:https://my.keyvault.url.net/secrets/my-keyvaultsecretvalue-v1
    ---- System.UnauthorizedAccessException : No key vault credential configured and no matching secret client could be found.
  Stack Trace: 
    AzureKeyVaultKeyValueAdapter.ProcessKeyValue(ConfigurationSetting setting, CancellationToken cancellationToken)
    AzureAppConfigurationProvider.ProcessAdapters(ConfigurationSetting setting, CancellationToken cancellationToken)
    AzureAppConfigurationProvider.SetData(IDictionary`2 data, CancellationToken cancellationToken)
    AzureAppConfigurationProvider.LoadAll(Boolean ignoreFailures)
    AzureAppConfigurationProvider.Load()
    ConfigurationRoot.ctor(IList`1 providers)
    ConfigurationBuilder.Build()
    SettingsTests.GetConfiguration(String uri) line 91
    SettingsTests.SettingsRequest_ReturnsValidSettings() line 60
    ----- Inner Stack Trace -----
    AzureKeyVaultSecretProvider.GetSecretValue(Uri secretUri, CancellationToken cancellationToken)
    AzureKeyVaultKeyValueAdapter.ProcessKeyValue(ConfigurationSetting setting, CancellationToken cancellationToken)
4

1 回答 1

2

未配置 Key Vault 访问权限。

尝试调用:

builder.AddAzureAppConfiguration(options =>
  {
    options.Connect(new Uri(uri), chainedCred);
    options.ConfigureKeyVault(kv => kv.SetCredential(chainedCred));
  }, optional: true);

chainedCred需要用于有权访问引用的 Key Vault 的主体。

或者,如果您未配置 Key Vault 的原因是您不想要机密,则需要设置 AzureAppConfiguration 选项,以便仅查询不引用 Key Vault 的设置。

于 2020-06-24T22:02:33.483 回答