問題描述

我在訪問 Azure 密鑰保管庫中的機密時遇到問題.我懷疑問題在于我沒有充分理解術語，所以我提供給各種 API 調用的參數是錯誤的.

這是我正在使用的基本代碼:

 受保護的異步任務GetCommunityKeyAsync(用戶配置用戶){var 客戶端 = 新的 KeyVaultClient(新的 KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync)，新的 HttpClient() );//user.VaultUrl 是我的密鑰保管庫的地址//例如，https://previously-created-vault.vault.azure.netvar secret = await client.GetSecretAsync(user.VaultUrl, "key-to-vault-created-in-azure-portal" );返回秘密.值；}私有異步任務<字符串>GetAccessTokenAsync(字符串權限，字符串資源，字符串范圍){var context = new AuthenticationContext( authority, TokenCache.DefaultShared );//此行拋出無法識別用戶異常；請參閱//下面有詳細介紹變量結果 =等待 context.AcquireTokenAsync(資源，id-of-app-registered-via-azure-portal"，新 UserCredential())；返回結果.AccessToken;}

這是拋出的異常:

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException
HResult=0x80131500 Message=unknown_user: 無法識別記錄在用戶源=Microsoft.IdentityModel.Clients.ActiveDirectory
堆棧跟蹤:在Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenNonInteractiveHandler.d__4.MoveNext()在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__57.MoveNext()在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__37.MoveNext()在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.d__0.MoveNext()在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在 System.Runtime.CompilerServices.TaskAwaiter1.GetResult()在 NextDoorScanner.ScannerJob.<GetAccessTokenAsync>d__21.MoveNext() 中C:ProgrammingCommunityScannerCommunityScannerScannerJob.cs:line197 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult()在Microsoft.Azure.KeyVault.KeyVaultCredential.d__9.MoveNext()在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult()在Microsoft.Azure.KeyVault.KeyVaultCredential.<ProcessHttpRequestAsync>d__10.MoveNext()在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext()在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult()在Microsoft.Azure.KeyVault.KeyVaultClientExtensions.d__11.MoveNext()在 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在 System.Runtime.CompilerServices.TaskAwaiter1.GetResult()在 NextDoorScanner.ScannerJob.<GetCommunityKeyAsync>d__20.MoveNext()在 C:ProgrammingCommunityScannerCommunityScannerScannerJob.cs:line188 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在 System.Runtime.CompilerServices.TaskAwaiter1.GetResult()在 NextDoorScanner.NextDoorScannerJob.d__4.MoveNext() 中C:ProgrammingCommunityScannerCommunityScannerNextDoorScannerJob.cs:line46 在System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() 在System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(任務任務)在 System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()在 NextDoorScanner.Program.Main(String[] args) 中C:ProgrammingCommunityScannerCommunityScannerProgram.cs:第 22 行

我做了一些配置，我想通過 powershell 將我的桌面注冊為 Azure 用戶:

登錄-AzureRmAccount//我記得，下一行抱怨應用 ID 已經被定義新 AzureRmADServicePrincipal -ApplicationId 'id-of-app-previously-defined-via-azure-portal'Set-AzureRmKeyVaultAccessPolicy -VaultName 'vault-name' -ServicePrincipalName id-of-app-previously-defined-via-azure-portal -PermissionsToSecrets 獲取

我不清楚我是否應該向 GetSecretAsync() 提供保管庫密鑰.我還想知道除了將新創建的 UserCredential 傳遞給 AcquireTokenAsync() 之外，我是否應該做其他事情.最后，我在網上看到了有關創建與密鑰保管庫一起使用的存儲帳戶的參考資料，我確實這樣做了，但我沒有創建我正在在"存儲帳戶中使用的保管庫.而且我沒有在代碼中識別存儲帳戶.

如果您能提供幫助或參考從控制臺桌面應用程序訪問密鑰保管庫的非常好的示例，我們將不勝感激.

Mark 的博客非常有幫助，從那個博客我學會了如何去做，下面是截至 2018 年 11 月 6 日的步驟和代碼.

步驟總結:

1. 注冊應用
2. 在這個新注冊的應用程序中創建密鑰
3. 創建 Key Vault 并為應用分配權限
4. 在保管庫中創建 Secret

通過代碼訪問它們

使用 Microsoft.Azure.KeyVault；使用 Microsoft.IdentityModel.Clients.ActiveDirectory；使用系統；使用 System.Collections.Generic；使用 System.Linq；使用 System.Net.Http；使用 System.Text；使用 System.Threading.Tasks；命名空間 Experiments.AzureKeyValut{內部類 AzureKeyValueDemo{私有靜態異步任務 Main(string[] args){await GetSecretAsync("https://YOURVAULTNAME.vault.azure.net/", "YourSecretKey");}私有靜態異步任務<字符串>GetSecretAsync(字符串 vaultUrl，字符串 vaultKey){var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient());var secret = await client.GetSecretAsync(vaultUrl, vaultKey);返回秘密.值；}私有靜態異步任務<字符串>GetAccessTokenAsync(字符串權限、字符串資源、字符串范圍){//僅演示//在代碼中存儲 ApplicationId 和 Key 是個壞主意 :)var appCredentials = new ClientCredential("YourApplicationId", "YourApplicationKey");var context = new AuthenticationContext(authority, TokenCache.DefaultShared);var result = await context.AcquireTokenAsync(resource, appCredentials);返回結果.AccessToken;}}}

如何注冊您的應用:

如何創建 Azure 應用的密碼并獲取應用的 ID

如何創建 Azure Key Vault 并分配權限

如何創建 Azure 機密

如何通過代碼訪問它

I am having trouble accessing a secret from an Azure key vault. I suspect the problem is that I don't adequately understand the terminology, so the arguments I'm supplying to various API calls are wrong.

Here's the basic code I'm using:

    protected async Task<string> GetCommunityKeyAsync( UserConfiguration user )
    {
        var client = new KeyVaultClient( 
            new KeyVaultClient.AuthenticationCallback( GetAccessTokenAsync ),
            new HttpClient() );

        // user.VaultUrl is the address of my key vault
        // e.g., https://previously-created-vault.vault.azure.net
        var secret = await client.GetSecretAsync( user.VaultUrl, "key-to-vault-created-in-azure-portal" );

        return secret.Value;
    }

    private async Task<string> GetAccessTokenAsync( string authority, string resource, string scope )
    {
        var context = new AuthenticationContext( authority, TokenCache.DefaultShared );

        // this line throws a "cannot identify user exception; see
        // below for details
        var result =
            await context.AcquireTokenAsync( resource, "id-of-app-registered-via-azure-portal", new UserCredential() );

        return result.AccessToken;
    }

Here is the exception that gets thrown:

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException
HResult=0x80131500 Message=unknown_user: Could not identify logged in user Source=Microsoft.IdentityModel.Clients.ActiveDirectory
StackTrace: at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenNonInteractiveHandler.d__4.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__57.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__37.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions.d__0.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at NextDoorScanner.ScannerJob.<GetAccessTokenAsync>d__21.MoveNext() in C:ProgrammingCommunityScannerCommunityScannerScannerJob.cs:line 197 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultCredential.d__9.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultCredential.<ProcessHttpRequestAsync>d__10.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.d__11.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at NextDoorScanner.ScannerJob.<GetCommunityKeyAsync>d__20.MoveNext() in C:ProgrammingCommunityScannerCommunityScannerScannerJob.cs:line 188 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at NextDoorScanner.NextDoorScannerJob.d__4.MoveNext() in C:ProgrammingCommunityScannerCommunityScannerNextDoorScannerJob.cs:line 46 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() at NextDoorScanner.Program.Main(String[] args) in C:ProgrammingCommunityScannerCommunityScannerProgram.cs:line 22

I did some configuration, I thought involving registering my desktop as an Azure user, via powershell:

Login-AzureRmAccount
// as I recall, this next line complained about the app ID already being   defined
New-AzureRmADServicePrincipal -ApplicationId 'id-of-app-previously-defined-via-azure-portal'
Set-AzureRmKeyVaultAccessPolicy -VaultName 'vault-name' -ServicePrincipalName id-of-app-previously-defined-via-azure-portal -PermissionsToSecrets Get

I'm unclear if I'm supposed to be providing the vault key to GetSecretAsync(). I also wonder if I'm supposed to be doing something other than passing a newly-created UserCredential to AcquireTokenAsync(). Finally, I see references online to creating a storage account for use with key vaults, which I did, but I didn't create the vault I'm using "in" a storage account. And I'm not identifying the storage account in the code.

Help, or a reference to a really good example accessing key vaults from a console desktop app would be appreciated.

Mark's blog was extremely helpful, from that blog I learnt how to do it and below are the steps and code as of 6-Nov-2018.

Summary of the steps:

1. Register App
2. Create Key inside this newly registered App
3. Create Key Vault and Assign permission to the app
4. Create Secret inside the vault

Access them thru code

using Microsoft.Azure.KeyVault;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net.Http;
using System.Text;
using System.Threading.Tasks;

namespace Experiments.AzureKeyValut
{
    internal class AzureKeyValueDemo
    {
        private static async Task Main(string[] args)
        {
            await GetSecretAsync("https://YOURVAULTNAME.vault.azure.net/", "YourSecretKey");
        }

        private static async Task<string> GetSecretAsync(string vaultUrl, string vaultKey)
        {
            var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient());
            var secret = await client.GetSecretAsync(vaultUrl, vaultKey);

            return secret.Value;
        }

        private static async Task<string> GetAccessTokenAsync(string authority, string resource, string scope)
        {
            //DEMO ONLY
            //Storing ApplicationId and Key in code is bad idea :)
            var appCredentials = new ClientCredential("YourApplicationId", "YourApplicationKey");
            var context = new AuthenticationContext(authority, TokenCache.DefaultShared);

            var result = await context.AcquireTokenAsync(resource, appCredentials);

            return result.AccessToken;
        }
    }
}

How to register your app:

How to create Azure App's password and get your App's Id

How to create Azure Key Vault and Assign Permissions

How to create Azure secrets

How to access it thru code

這篇關于無法從桌面控制臺應用訪問 Azure Key Vault的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！