sql-server - 通过 KeyVault 从 Azure 功能连接到 SQL Server
问题描述
我尝试使用密钥库机密从本地 azure 函数连接到 sql server。我设置了一个函数启动类来配置连接:
[assembly: FunctionsStartup(typeof(MyNamespace.Startup))]
//namespace
public class Startup : FunctionsStartup
{
public Startup()
{
}
public override void Configure(IFunctionsHostBuilder builder)
{
string basePath = IsDevelopmentEnvironment() ?
Environment.GetEnvironmentVariable("AzureWebJobsScriptRoot") :
$"{Environment.GetEnvironmentVariable("HOME")}\\site\\wwwroot";
var configurationBuilder = new ConfigurationBuilder()
.SetBasePath(basePath)
.AddJsonFile("local.settings.json", optional: true, reloadOnChange: false) // secrets go here. This file is excluded from source control.
.AddEnvironmentVariables();
var builtConfig = configurationBuilder.Build();
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
configurationBuilder.AddAzureKeyVault($"https://{builtConfig.GetSection("KeyVaultSettings")["KeyVaultName"]}.vault.azure.net/",
keyVaultClient,
new DefaultKeyVaultSecretManager());
var builtConfigWithKeyVault = configurationBuilder.Build(); //necessary?
// Registering services
builder
.Services
.AddScoped<IUnitOfWork, UnitOfWork>()
.AddDbContext<DomainDbContext>(
options => options.UseSqlServer(builtConfigWithKeyVault.GetSection("KeyVaultSettings")["DatabaseConnectionStringSecretName"]));
}
public bool IsDevelopmentEnvironment()
{
return "Development".Equals(Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT"), StringComparison.OrdinalIgnoreCase);
}
}
在local.settings.json
中,我定义了密钥保管库设置:
"KeyVaultSettings": {
"KeyVaultName": "KeyVault",
"DatabaseConnectionStringSecretName": "ConnectionString"
}
我的问题是没有建立连接,因为在DBContextOptions中,连接字符串是“ConnectionString”
public DomainDbContext(IServiceProvider serviceProvider, DbContextOptions<DomainDbContext> options) : base(options)
{
//options has wrong connection string
}
代码有问题还是通常无法从本地 Azure 功能访问密钥保管库?!
解决方案
如果要从 Azure Key Vault 中获取连接字符串,请参考以下代码
[assembly: FunctionsStartup(typeof(FunctionApp1.Startup))]
namespace FunctionApp1
{
class Startup : FunctionsStartup
{
public override void Configure(IFunctionsHostBuilder builder)
{
string basePath = IsDevelopmentEnvironment() ?
Environment.GetEnvironmentVariable("AzureWebJobsScriptRoot") :
$"{Environment.GetEnvironmentVariable("HOME")}\\site\\wwwroot";
var configurationBuilder = new ConfigurationBuilder()
.SetBasePath(basePath)
.AddJsonFile("local.settings.json", optional: true, reloadOnChange: false)
.AddEnvironmentVariables();
var currentConfiguration = configurationBuilder.Build();
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
configurationBuilder
.AddAzureKeyVault($"https://{currentConfiguration["KeyVaultSettings:KeyVaultName"]}.vault.azure.net/",
kvClient, new DefaultKeyVaultSecretManager());
var keyConfig = configurationBuilder.Build();
var conStr= keyConfig.GetValue<string>(currentConfiguration["KeyVaultSettings:DatabaseConnectionStringSecretName"]);
builder.Services
.AddDbContext<DomainDbContext>(options => options.UseSqlServer(conStr));
}
public bool IsDevelopmentEnvironment()
{
return "Development".Equals(Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT"), StringComparison.OrdinalIgnoreCase);
}
}
}
此外,在您将函数部署到 Azure 后,我们可以使用 Azure 密钥库参考来简化您的代码。有关更多详细信息,请参阅此处和此处
例如
在 Azure 函数中启用 Azure MSI
在 Key Vault 中为你之前创建的应用程序标识创建访问策略
在 Azure Function Application Settings 中添加引用
@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
- 阅读代码中的应用程序设置
推荐阅读
- android - 我无法在 Kotlin/Android Studio 中获取/列出文件,只有目录
- c++ - 分数背包算法分段错误
- java - 在 Java 中创建 3D 数组
- c# - C# 字符串变为空
- javascript - 如何跟踪 mongodb 内部发生的变化并在 React 应用程序中获取所有数据
- amazon-web-services - 从 S3 中的特定存储桶中删除对象需要哪些权限
- python - 如果只有第一列有数据,熊猫就会删除行
- javascript - React Router 在点击卡片后创建一个“新页面”
- python-packaging - 在 .pex 中导入 json 资源(Python 可执行文件(Twitter 格式))
- time-complexity - 计算函数 f2 的时间和空间复杂度