UnwrapKey

UnwrapKey

关注
发信
关注(28)粉丝(399)

Azure 密钥保管库:拒绝访问

本文介绍了Azure 密钥保管库:拒绝访问的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有以下代码用于从 Azure Key Vault 获取机密:

I have the following code for obtaining a secret from the Azure key vault:

public static async Task<string> GetToken(string authority, string resource, string scope)
    {
        var authContext = new AuthenticationContext(authority);
        ClientCredential clientCred = new ClientCredential(...); //app id, app secret
        AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);

        if (result == null)
            throw new InvalidOperationException("Failed to obtain the JWT token");

        return result.AccessToken;
    }

    public static string GetSecret(string secretName)
    {
        KeyVaultClient keyVaultClient = new KeyVaultClient(GetToken);
        try
        {
            return keyVaultClient.GetSecretAsync("my-key-vault-url", secretName).Result.Value;
        }
        catch(Exception ex)
        {
            return "Error";
        }
    }

我得到的错误是访问被拒绝",这(我认为)意味着 id、secret 和保险库的 url 没问题.但是,我不知道我可以采取哪些不同的方式来修复此错误,Azure 门户中是否有设置阻止我读取机密?

The error I am getting is "access denied", which (I think) means that the id, secret and the vault's url are fine. However, I don't know what I can do differently to fix this error, is there maybe a setting in the Azure portal which is preventing me from reading a secret?

推荐答案

要修复拒绝访问,您需要配置 Active Directory 权限.授予对 KeyVault 的访问权限.

To fix access denied you need to configure Active Directory permissions. Grant access to KeyVault.

1.使用 PowerShell运行下一个命令:

Set-AzureRmKeyVaultAccessPolicy -VaultName 'XXXXXXX' -ServicePrincipalName XXXXX -PermissionsToKeys decrypt,sign,get,unwrapKey

2.使用 Azure 门户

  1. 打开密钥保管库
  2. 从 Key Vault 资源边栏选项卡中选择访问策略
  3. 单击刀片顶部的 [+ 添加访问策略] 按钮
  4. 点击选择主体以选择您之前创建的应用程序
  5. 从密钥权限下拉列表中,选择解密"、签名"、获取"、UnwrapKey"权限
  6. 保存更改
  1. Open Key Vaults
  2. Select Access Policies from the Key Vault resource blade
  3. Click the [+ Add Access Policy] button at the top of the blade
  4. Click Select Principal to select the application you created earlier
  5. From the Key permissions drop down, select "Decrypt", "Sign", "Get", "UnwrapKey" permissions
  6. Save changes

授权应用程序使用密钥或机密

这篇关于Azure 密钥保管库:拒绝访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-15 13:04
Powered by LMLPHP ©2024 UnwrapKey 0.032388