问题描述
我正在使用 Microsoft.Azure.keyVault 尝试从 Azure 中的密钥保管库获取机密.
I'm using Microsoft.Azure.keyVault trying to get a secret from a key vault in Azure.
我已将应用程序注册为 Native API 和 Web API.
I've registered an application as both Native and Web API.
登录 AD 成功(可以通过在 AuthenticationContext.AcquireTokenAsync 上获取有效的 AccessToken 来确认).
Logging on to the AD is successful (can confirm this by getting a valid AccessToken on AuthenticationContext.AcquireTokenAsync).
在 Azure AD 中,两个应用程序都在 Key Vault 中获得了访问控制 (IAM) 和访问策略.我已经确认 Key Vault Base Url 和 Secret Name 是正确的,但是在进行以下调用时
In Azure AD both applications have been given Access Control (IAM) and Access Policies in the Key Vault. I have confirmed that the Key Vault Base Url and the Secret Name are correct but when making the following call
var sec = kv.GetSecretAsync("https://xxxxxxx.vault.azure.net", "xxsecretnamexx").GetAwaiter().GetResult();
我不断收到错误
{"Operation returned an invalid status code 'Unauthorized'"} Microsoft.Azure.KeyVault.Models.KeyVaultErrorException
附注:尝试通过以用户身份登录来执行此操作.获取token的代码如下
One sidenote: Attempting to do this by logging in as a user. The code to get the token is as follows
.AcquireTokenAsync(resourceUri,clientId, new Uri(redirectUri), new PlatformParameters(PromptBehavior.SelectAccount))
我们有使用已注册 Azure AD 应用程序的 ID 和密码的工作代码,该应用程序有权访问密钥保管库.
We have working code using the id and secret of an registered Azure AD application that has rights to the key vault.
尝试在不使用关联的已注册 Azure AD 应用程序的 ID 和密码的情况下执行相同操作,而是在获取 Azure AD 的访问令牌时显示登录提示.
Trying to do the same thing without using the id and secret of an associated registered Azure AD application but instead have a login prompt displayed when getting the access token to Azure AD.
推荐答案
我用下面的代码测试它,它在我这边工作正常.resourceUri 是 https://vault.azure.net
I test it with the following code, it works correctly on my side. The resourceUri is https://vault.azure.net
static string appId = "application Id";
static string tenantId = "tenant id";
static string uri = "http://localhost:13526"; //redirect uri
static void Main(string[] args)
{
var kv = new KeyVaultClient(GetAccessToken);
var scret = kv.GetSecretAsync("https://xxxx.vault.azure.net", "xxxx").GetAwaiter().GetResult();
}
public static async Task<string> GetAccessToken(string azureTenantId,string clientId,string redirectUri)
{
var context = new AuthenticationContext("https://login.windows.net/" + tenantId);
var tokenResult = await context.AcquireTokenAsync("https://vault.azure.net", appId, new Uri(uri), new PlatformParameters(PromptBehavior.SelectAccount));
return tokenResult.AccessToken;
}
以下是我的详细步骤.
1.注册一个原生应用
2.添加 KeyVault 权限
2.Add KeyVault Permission
3.添加上面的代码,在我这边测试一下.
3.Add the above code and test it on my side.
Packages.config
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="Hyak.Common" version="1.0.2" targetFramework="net461" />
<package id="Microsoft.Azure.Common" version="2.0.4" targetFramework="net461" />
<package id="Microsoft.Azure.Common.Dependencies" version="1.0.0" targetFramework="net461" />
<package id="Microsoft.Azure.KeyVault" version="1.0.0" targetFramework="net461" />
<package id="Microsoft.Bcl" version="1.1.9" targetFramework="net461" />
<package id="Microsoft.Bcl.Async" version="1.0.168" targetFramework="net461" />
<package id="Microsoft.Bcl.Build" version="1.0.14" targetFramework="net461" />
<package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.17.0" targetFramework="net461" />
<package id="Microsoft.Net.Http" version="2.2.22" targetFramework="net461" />
<package id="Newtonsoft.Json" version="6.0.4" targetFramework="net461" />
</packages>
这篇关于尝试从 Azure 密钥保管库获取机密时未授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!