本文演示在Azure 虚拟机中通过 系统分配标识 和 SDK 访问 Azure Key Vault 中的机密Secret。

 

 

在Azure VM中访问Key Vault 可以通过 虚拟机的系统分配标识,来授权对key vault的访问。

关于系统分配标识的创建步骤如下:

  1. 在VM 标识页面为VM 开启系统分配的标识;
  2. 在key vault的 访问策略页面添加VM的服务主体;

 在虚拟机中使用如下代码,对key vault中的 secret进行访问,通过对vm的服务主体的授权,代码可以直接访问key vault,如果将这段代码拷贝到本地开发电脑上,则无法正常访问key vault。

本文使用了如下的示例代码:

using System;
using Azure.Core;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
namespace ConsoleApp1
{
    class Program
    {
        static void Main(string[] args)
        {
            string secretName = "db-connstring";
            //string keyVaultName = "sean-key-vault-01";
            var kvUri = "https://sean-key-vault-01.vault.azure.net/";
            SecretClientOptions options = new SecretClientOptions()
            {
                Retry =
                {
                    Delay= TimeSpan.FromSeconds(2),
                    MaxDelay = TimeSpan.FromSeconds(16),
                    MaxRetries = 5,
                    Mode = RetryMode.Exponential
                 }
            };

            var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential(), options);

            //Console.Write("Input the value of your secret > ");
            //string secretValue = Console.ReadLine();

            //Console.Write("Creating a secret in " + keyVaultName + " called '" + secretName + "' with the value '" + secretValue + "` ...");

            //client.SetSecret(secretName, secretValue);

            //Console.WriteLine(" done.");

            //Console.WriteLine("Forgetting your secret.");
            //secretValue = "";
            //Console.WriteLine("Your secret is '" + secretValue + "'.");

            //Console.WriteLine("Retrieving your secret from " + keyVaultName + ".");

            KeyVaultSecret secret = client.GetSecret(secretName);

            Console.WriteLine("Your secret is '" + secret.Value + "'.");

            //Console.Write("Deleting your secret from " + keyVaultName + " ...");

            //client.StartDeleteSecret(secretName);

            //System.Threading.Thread.Sleep(5000);
            //Console.WriteLine(" done.");
            Console.ReadLine();

        }
    }
}