时间戳

首页 > 解决方案 > 从 Azure 密钥保管库获取机密

java - 从 Azure 密钥保管库获取机密

问题描述

我正在尝试从 azure key vault 中获取秘密。

所以我找到了下面的代码,但出现了错误。

AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE);

KeyVaultClient keyVaultClient = new KeyVaultClient(credentials);

String secret =  keyVaultClient.getSecret("uri", "secretName").value();

我收到这样的错误:

Error >>> endpoint == null

我也尝试过这种方式:


AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE, "MSI Url????", "secret???");
KeyVaultClient keyVaultClient = new KeyVaultClient(credentials);

String secret =  keyVaultClient.getSecret("keyVault Uri", "secret name").value(); 

log.debug("secret=========",secret);

我是 Azure 的新手,现在我找不到解决方案....

我该如何解决?另外我怎样才能找到msi端点和秘密?

谢谢你。

标签: javaazurespring-bootazure-keyvaultsecret-key

解决方案

You were using managed identity. You do not need to provide any endpoint or secret.

The only thing you need to do is to enable system identity in your web app.

After that, you will get an object id of a service principal. then you can assign access policy in your key vault for that service principal.

Finally, you can access your key vault and secret in your spring boot application.

Update:

If you cannot create managed identity, then you can get an access token with Azure AD library. And then use that token to access key vault.

Here is a code sample:

public class KeyVaultTest {

    // Add access policy to user, and access key vault as user
    private static AuthenticationResult getAccessTokenAsUser(String authorization, String resource) throws InterruptedException, ExecutionException, MalformedURLException {

        String clientId = "1950a258-227b-4e31-a9cf-717495945fc2";
        String username = "your user id, jack@hanxia.onmicrosoft.com";
        String password = "your password,  ********";
        AuthenticationResult result = null;

        //Starts a service to fetch access token.
        ExecutorService service = null;
        try {
            service = Executors.newFixedThreadPool(1);
            AuthenticationContext context = new AuthenticationContext(authorization, false, service);
            Future<AuthenticationResult> future = context.acquireToken(resource, clientId, username, password, null);
            result = future.get();
        } finally {
            service.shutdown();
        }

        if (result == null) {
            throw new RuntimeException("Authentication results were null.");
        }

        return result;
    }

    public static void main(String[] args) {
        String vaultBase = "https://keyvault279.vault.azure.net/";

        KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultCredentials(){
            @Override
            public String doAuthenticate(String authorization, String resource, String scope) {
                String token = null;
                try {
                    AuthenticationResult authResult = getAccessTokenAsUser(authorization, resource);
                    token = authResult.getAccessToken();
                } catch (Exception e) {
                    e.printStackTrace();
                }
                return token;
            }
        });

        SecretBundle test = keyVaultClient.getSecret(vaultBase, "test");
        System.out.println(test.value());
    }
}

推荐阅读