java - 从 Azure 密钥保管库获取机密
问题描述
我正在尝试从 azure key vault 中获取秘密。
所以我找到了下面的代码,但出现了错误。
AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE);
KeyVaultClient keyVaultClient = new KeyVaultClient(credentials);
String secret = keyVaultClient.getSecret("uri", "secretName").value();
我收到这样的错误:
Error >>> endpoint == null
我也尝试过这种方式:
AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE, "MSI Url????", "secret???");
KeyVaultClient keyVaultClient = new KeyVaultClient(credentials);
String secret = keyVaultClient.getSecret("keyVault Uri", "secret name").value();
log.debug("secret=========",secret);
我是 Azure 的新手,现在我找不到解决方案....
我该如何解决?另外我怎样才能找到msi端点和秘密?
谢谢你。
解决方案
You were using managed identity. You do not need to provide any endpoint or secret.
The only thing you need to do is to enable system identity in your web app.
After that, you will get an object id of a service principal. then you can assign access policy in your key vault for that service principal.
Finally, you can access your key vault and secret in your spring boot application.
Update:
If you cannot create managed identity, then you can get an access token with Azure AD library. And then use that token to access key vault.
Here is a code sample:
public class KeyVaultTest {
// Add access policy to user, and access key vault as user
private static AuthenticationResult getAccessTokenAsUser(String authorization, String resource) throws InterruptedException, ExecutionException, MalformedURLException {
String clientId = "1950a258-227b-4e31-a9cf-717495945fc2";
String username = "your user id, jack@hanxia.onmicrosoft.com";
String password = "your password, ********";
AuthenticationResult result = null;
//Starts a service to fetch access token.
ExecutorService service = null;
try {
service = Executors.newFixedThreadPool(1);
AuthenticationContext context = new AuthenticationContext(authorization, false, service);
Future<AuthenticationResult> future = context.acquireToken(resource, clientId, username, password, null);
result = future.get();
} finally {
service.shutdown();
}
if (result == null) {
throw new RuntimeException("Authentication results were null.");
}
return result;
}
public static void main(String[] args) {
String vaultBase = "https://keyvault279.vault.azure.net/";
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultCredentials(){
@Override
public String doAuthenticate(String authorization, String resource, String scope) {
String token = null;
try {
AuthenticationResult authResult = getAccessTokenAsUser(authorization, resource);
token = authResult.getAccessToken();
} catch (Exception e) {
e.printStackTrace();
}
return token;
}
});
SecretBundle test = keyVaultClient.getSecret(vaultBase, "test");
System.out.println(test.value());
}
}
推荐阅读
- plot - 如何在 Julia 中绘制 3D 高斯的时间演化?
- php - Laravel:如何防止使用同一用户帐户多次登录?
- python-3.x - 如何在下面的代码中使用 for 循环从列表中删除值?
- javascript - 鼠标悬停在fullcallendar时如何拖动事件
- python-3.x - 在pytorch中重置神经网络的参数
- tensorflow - 对象检测 API v2 Tflite 模型后量化
- .htaccess - htaccess 允许具有不同方案的 Origin 多个域
- ios - 为什么 Swift AVAudioPlayer 在 MPRemoteCommandCenter 播放命令后不改变状态?
- linux - 如何使版本排序命令在 sh 文件中工作?
- python - 是否使用 numpy 的 dot 或 matmul 函数