1

我想使用 Azure Key Vault Provider 来填充我的应用配置。将Microsoft.Azure.Functions.Extensions 1.1.0Azure.Extensions.AspNetCore.Configuration.Secrets结合使用,我的代码如下所示:

local.settings.json

{
    "IsEncrypted": false,
    "Values": {
        "KeyVaultUri": "https://meh.vault.azure.net/",
        "TEST:SuperSecret": "secret-name-of-key-vault-entry"
    }
}

启动.cs

[assembly: FunctionsStartup(typeof(Startup))]
namespace myNamespace
{
    public class Startup : FunctionsStartup
    {
        public override void Configure(IFunctionsHostBuilder builder)
        {
            builder.Services.AddOptions<AppSettingsSecrets>()
                .Configure<IConfiguration>((cfgSection, cfg) => cfg.GetSection("TEST").Bind(cfgSection));
        }
    
        public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
        {
            var builtConfig = builder.ConfigurationBuilder.Build();
            var kvEndpoint = builtConfig["KeyVaultUri"];
            var cred = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential()); 
            var opt = new AzureKeyVaultConfigurationOptions { ReloadInterval = TimeSpan.FromHours(24)};
            
            builder.ConfigurationBuilder
                .AddAzureKeyVault(new Uri(kvEndpoint), cred, opt)
                .SetBasePath(Environment.CurrentDirectory)
                .AddJsonFile("local.settings.json", optional: true)
                .AddEnvironmentVariables()
                .Build();
        }
    }
}

函数.cs

namespace myNamespace
{
    public class SEC
    {
        private readonly IOptions<AppSettingsSecrets> _s;
        public SEC(IOptions<AppSettingsSecrets> s) => _s = s;

        [FunctionName(nameof(SEC))]
        public async Task<IActionResult> Run([HttpTrigger(AuthorizationLevel.Function, "get", Route = "sec")] HttpRequest req, ILogger log)
        {
            log.LogInformation(_s.Value.SuperSecret);
            return new OkObjectResult(true);
        }
    }
}

现在当我调用

iwr http://localhost:7071/api/sec

将记录的是秘密名称的文字值secret-name-of-key-vault-entry。不是密钥保管库中的密钥值。

这绝对不是访问策略的问题,因为之前我使用相同的用户主体从同一个保管库手动查询机密。

我错过了什么?任何帮助表示赞赏。

4

1 回答 1

1

我在YouTube 上找到了一个可行的解决方案。在这里发帖,也许其他人可能会受益。

local.settings.json:此处不存在的秘密配置值

{
    "IsEncrypted": false,
    "Values": {
        "KeyVaultUri": "https://meh.vault.azure.net/",
    },
    "Settings": {
        "IsProd": false
    }
}

应用设置.cs

namespace myNamespace
{
    public class AppSettings
    {
        public bool IsProd {get; set;}
        public string GraphCredential {get; set;} = string.Empty;
    }
}

然后在密钥库本身中,使用名称注册一个秘密Settings--GraphCredential(两个破折号!)

namespace myNamespace
{
    public class Startup : FunctionsStartup
    {
        public override void Configure(IFunctionsHostBuilder builder)
        {
            builder.Services.AddOptions<AppSettings>()
                .Configure<IConfiguration>((cfgSection, cfg) => cfg.GetSection("Settings").Bind(cfgSection));
        }
    
        public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
        {
            var builtConfig = builder.ConfigurationBuilder.Build();
            var kvEndpoint = builtConfig["KeyVaultUri"];
            var cred = new ChainedTokenCredential(new ManagedIdentityCredential(), new AzureCliCredential()); 
            var opt = new AzureKeyVaultConfigurationOptions { ReloadInterval = TimeSpan.FromHours(24)};
            
            builder.ConfigurationBuilder
                .AddAzureKeyVault(new Uri(kvEndpoint), cred, opt)
                .SetBasePath(Environment.CurrentDirectory)
                .AddJsonFile("local.settings.json", optional: true)
                .AddEnvironmentVariables()
                .Build();
        }
    }
}
于 2021-02-17T15:26:30.717 回答