c# - 使用 Azure CLI 在 Rider 中获取 Azure Key Vault 的访问 token

Question

我目前正在尝试在我们的项目中集成 keyvault。我正在运行 Ubuntu (FF) 并在 Rider 中工作。

为了实现这一目标我所做的事情是:

• 为我的 AD 用户创建 keyvault 的访问策略
• 已安装 azure cli，正在运行 az 登录、az 帐户设置订阅
• 已安装 Azure Toolkit for Rider(不确定是否有必要)

我还验证了我可以通过运行 az account get-access-token --resource https://vault.azure.net 来通过 azure cli 获取访问 token

当我运行我的应用程序时，出现此错误:

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/d8ed8deb-97d7-4062-a791-c45b9561ec8e. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/d8ed8deb-97d7-4062-a791-c45b9561ec8e. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/d8ed8deb-97d7-4062-a791-c45b9561ec8e. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/d8ed8deb-97d7-4062-a791-c45b9561ec8e. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 

我尝试了连接字符串的不同选项，但无论我尝试什么，它都表示无法获取访问 token 。由于我已经使用 az login 登录，我认为获取对保管库的访问权限应该可以正常工作，但我可能遗漏了一些东西。

编辑:添加代码

我正在遵循本指南:https://learn.microsoft.com/en-us/azure/key-vault/general/service-to-service-authentication

        var tokenProvider = new AzureServiceTokenProvider();
        var client = new KeyVaultClient(
            new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback));
        var builder = new ConfigurationBuilder();
        builder.AddAzureKeyVault(config.Url, client, new DefaultKeyVaultSecretManager());

如您所见，我正在尝试将 keyvault 中的 secret 添加到配置中。

Answer 1

如果您想访问 azure keyvault，例如通过 Azure CLI 身份验证在本地加密，您可以使用 AzureCliCredential进行身份验证。

通过 az login 登录 Azure CLI 后，使用以下代码。

var client = new SecretClient(new Uri("https://myvault.azure.vaults.net/"), new AzureCliCredential());
//something you want e.g. get secret
secret = client.GetSecret("secret-name");

如果你想访问keyvault中的 key ，你可以使用

var client = new KeyClient(new Uri("https://myvault.azure.vaults.net/"), new AzureCliCredential());
key = client.GetKey("key-name");

引用 - https://learn.microsoft.com/en-us/dotnet/api/overview/azure/key-vault

更新:

如果您想通过 Azure CLI 身份验证使用 AzureServiceTokenProvider，请添加 RunAs=Developer; DeveloperTool=AzureCli在您的代码中。

登录Azure CLI后，运行代码:

var tokenProvider = new AzureServiceTokenProvider(RunAs=Developer; DeveloperTool=AzureCli);
var client = new KeyVaultClient(
        new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback));