Fatal编程技术网
  • azure-service-fabric/
  • Azure service fabric 从托管在Azure Service Fabric中的ASP.NET核心应用程序访问Azure密钥库

Azure service fabric 从托管在Azure Service Fabric中的ASP.NET核心应用程序访问Azure密钥库

azure-service-fabric

Azure service fabric 从托管在Azure Service Fabric中的ASP.NET核心应用程序访问Azure密钥库,azure-service-fabric,azure-keyvault,Azure Service Fabric,Azure Keyvault,在我当前的ASP.NET核心项目中,我使用带有X509Certificate的Azure Active Directory身份验证来访问密钥库。证书需要安装在计算机上,以允许应用程序访问它并最终从密钥库读取值。现在我正在将此应用程序迁移到Azure Service Fabric。我已将证书上载到密钥库,通过添加以下内容修改了ARM模板: "osProfile": { "secrets": [ { "sourceVault": {

在我当前的ASP.NET核心项目中,我使用带有X509Certificate的Azure Active Directory身份验证来访问密钥库。证书需要安装在计算机上,以允许应用程序访问它并最终从密钥库读取值。现在我正在将此应用程序迁移到Azure Service Fabric。我已将证书上载到密钥库,通过添加以下内容修改了ARM模板:

"osProfile": {
    "secrets": [
        {
          "sourceVault": {
            "id": "{KeyVaultIdHere}"
          },
          "vaultCertificates": [
            {
              "certificateUrl": "{CertificateUrlHere}",
              "certificateStore": "My"
            }
          ]
        }
      ]
},
但当我将应用程序部署到Azure Service Fabric时,它似乎没有访问证书的权限。我是否正确理解,当我使用这样的ARM模板创建集群时,证书正在
LocalMachine\My
Store中安装?如果是,运行应用程序的操作系统用户是否可能无权访问证书的私钥?当我在本地计算机上运行集群时,我必须授予ASF本地集群用户读取私钥的特殊权限。也许Azure上的ASF也需要这样做?你怎么能做到?提前感谢。

好的,所以解决方案是修改ARM模板,使其能够访问
网络服务
用户的证书私钥。要做到这一点,需要编写适当的powershell(如此处:)并在ARM模板中附加
CustomScriptExtension
virtualMachineProfile/extensionProfile/extensions
)。这只能在ARM部署期间完成,因为出于某种原因,
管理员对通过ARM模板安装的证书只有
读取
权限。
好,因此解决方案是修改ARM模板,使其能够访问
网络服务
用户的证书私钥。要做到这一点,需要编写适当的powershell(如此处:)并在ARM模板中附加
CustomScriptExtension
virtualMachineProfile/extensionProfile/extensions
)。这只能在ARM部署期间完成,因为出于某种原因,
管理员对通过ARM模板安装的证书只有
读取权限。
以下是我的一个应用程序的一个应用程序清单


<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="S-Innovations.ServiceFabric.GatewayApplicationType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
  <Parameters>
    <Parameter Name="GatewayService_InstanceCount" DefaultValue="-1" />
    <Parameter Name="AzureADServicePrincipal" DefaultValue="" />
    <Parameter Name="TenantId" DefaultValue="" />
    <Parameter Name="ApplicationStorageAccountId" DefaultValue="" />
    <Parameter Name="AzureResourceManagerCertThumbrint" DefaultValue="C03BB5A6410741CDD2927B4FF88C3E67215A393B" />
    <Parameter Name="Azure.KeyVault.Uri" DefaultValue="https://earthml-core-k3ci.vault.azure.net/" />
    <Parameter Name="ASPNETCORE_ENVIRONMENT" DefaultValue="Development" />
  </Parameters>
  <!-- Import the ServiceManifest from the ServicePackage. The ServiceManifestName and ServiceManifestVersion 
       should match the Name and Version attributes of the ServiceManifest element defined in the 
       ServiceManifest.xml file. -->
  <ServiceManifestImport>
    <ServiceManifestRef ServiceManifestName="S-Innovations.ServiceFabric.GatewayServicePkg" ServiceManifestVersion="1.0.0" />
    <ConfigOverrides>
      <ConfigOverride Name="Config">
        <Settings>
          <Section Name="AzureResourceManager">
            <Parameter Name="AzureADServicePrincipal" Value="[AzureADServicePrincipal]" IsEncrypted="true" />
            <Parameter Name="TenantId" Value="[TenantId]" />
            <Parameter Name="ApplicationStorageAccountId" Value="[ApplicationStorageAccountId]" />
            <Parameter Name="Azure.KeyVault.Uri" Value="[Azure.KeyVault.Uri]" />
          </Section>
        </Settings>
      </ConfigOverride>
    </ConfigOverrides>
    <EnvironmentOverrides CodePackageRef="Code">
      <EnvironmentVariable Name="ASPNETCORE_ENVIRONMENT" Value="[ASPNETCORE_ENVIRONMENT]" />
    </EnvironmentOverrides>
    <Policies>
      <RunAsPolicy CodePackageRef="Code" UserRef="Admin" EntryPointType="All" />
    </Policies>
  </ServiceManifestImport>
  <DefaultServices>
    <!-- The section below creates instances of service types, when an instance of this 
         application type is created. You can also create one or more instances of service type using the 
         ServiceFabric PowerShell module.

         The attribute ServiceTypeName below must match the name defined in the imported ServiceManifest.xml file. -->
    <Service Name="GatewayService">
      <StatelessService ServiceTypeName="GatewayServiceType" InstanceCount="[GatewayService_InstanceCount]">
        <SingletonPartition />
      </StatelessService>
    </Service>
    <Service Name="GatewayServiceManagerActorService" GeneratedIdRef="ef5ab963-c061-486e-bb1c-84bf1c2fc7e1|Persisted">
      <StatefulService ServiceTypeName="GatewayServiceManagerActorServiceType">
        <UniformInt64Partition PartitionCount="2" LowKey="-9223372036854775808" HighKey="9223372036854775807" />
      </StatefulService>
    </Service>
  </DefaultServices>
  <Principals>
    <Users>
      <User Name="Service1" AccountType="NetworkService" />
      <User Name="Admin">
        <MemberOf>
          <SystemGroup Name="Administrators" />
        </MemberOf>
      </User>
    </Users>
  </Principals>
  <Policies>
    <SecurityAccessPolicies>
      <SecurityAccessPolicy ResourceRef="MyCert" PrincipalRef="Service1" ResourceType="Certificate" />
    </SecurityAccessPolicies>
  </Policies>
  <Certificates>
    <SecretsCertificate X509FindValue="[AzureResourceManagerCertThumbrint]" Name="MyCert" />
  </Certificates>
</ApplicationManifest>







我一直在使用它,没有您提到的应用程序无法访问证书的任何问题。也许这可以帮助您简化arm脚本:)
这是我的一个应用程序的一个应用程序清单


<?xml version="1.0" encoding="utf-8"?>
<ApplicationManifest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ApplicationTypeName="S-Innovations.ServiceFabric.GatewayApplicationType" ApplicationTypeVersion="1.0.0" xmlns="http://schemas.microsoft.com/2011/01/fabric">
  <Parameters>
    <Parameter Name="GatewayService_InstanceCount" DefaultValue="-1" />
    <Parameter Name="AzureADServicePrincipal" DefaultValue="" />
    <Parameter Name="TenantId" DefaultValue="" />
    <Parameter Name="ApplicationStorageAccountId" DefaultValue="" />
    <Parameter Name="AzureResourceManagerCertThumbrint" DefaultValue="C03BB5A6410741CDD2927B4FF88C3E67215A393B" />
    <Parameter Name="Azure.KeyVault.Uri" DefaultValue="https://earthml-core-k3ci.vault.azure.net/" />
    <Parameter Name="ASPNETCORE_ENVIRONMENT" DefaultValue="Development" />
  </Parameters>
  <!-- Import the ServiceManifest from the ServicePackage. The ServiceManifestName and ServiceManifestVersion 
       should match the Name and Version attributes of the ServiceManifest element defined in the 
       ServiceManifest.xml file. -->
  <ServiceManifestImport>
    <ServiceManifestRef ServiceManifestName="S-Innovations.ServiceFabric.GatewayServicePkg" ServiceManifestVersion="1.0.0" />
    <ConfigOverrides>
      <ConfigOverride Name="Config">
        <Settings>
          <Section Name="AzureResourceManager">
            <Parameter Name="AzureADServicePrincipal" Value="[AzureADServicePrincipal]" IsEncrypted="true" />
            <Parameter Name="TenantId" Value="[TenantId]" />
            <Parameter Name="ApplicationStorageAccountId" Value="[ApplicationStorageAccountId]" />
            <Parameter Name="Azure.KeyVault.Uri" Value="[Azure.KeyVault.Uri]" />
          </Section>
        </Settings>
      </ConfigOverride>
    </ConfigOverrides>
    <EnvironmentOverrides CodePackageRef="Code">
      <EnvironmentVariable Name="ASPNETCORE_ENVIRONMENT" Value="[ASPNETCORE_ENVIRONMENT]" />
    </EnvironmentOverrides>
    <Policies>
      <RunAsPolicy CodePackageRef="Code" UserRef="Admin" EntryPointType="All" />
    </Policies>
  </ServiceManifestImport>
  <DefaultServices>
    <!-- The section below creates instances of service types, when an instance of this 
         application type is created. You can also create one or more instances of service type using the 
         ServiceFabric PowerShell module.

         The attribute ServiceTypeName below must match the name defined in the imported ServiceManifest.xml file. -->
    <Service Name="GatewayService">
      <StatelessService ServiceTypeName="GatewayServiceType" InstanceCount="[GatewayService_InstanceCount]">
        <SingletonPartition />
      </StatelessService>
    </Service>
    <Service Name="GatewayServiceManagerActorService" GeneratedIdRef="ef5ab963-c061-486e-bb1c-84bf1c2fc7e1|Persisted">
      <StatefulService ServiceTypeName="GatewayServiceManagerActorServiceType">
        <UniformInt64Partition PartitionCount="2" LowKey="-9223372036854775808" HighKey="9223372036854775807" />
      </StatefulService>
    </Service>
  </DefaultServices>
  <Principals>
    <Users>
      <User Name="Service1" AccountType="NetworkService" />
      <User Name="Admin">
        <MemberOf>
          <SystemGroup Name="Administrators" />
        </MemberOf>
      </User>
    </Users>
  </Principals>
  <Policies>
    <SecurityAccessPolicies>
      <SecurityAccessPolicy ResourceRef="MyCert" PrincipalRef="Service1" ResourceType="Certificate" />
    </SecurityAccessPolicies>
  </Policies>
  <Certificates>
    <SecretsCertificate X509FindValue="[AzureResourceManagerCertThumbrint]" Name="MyCert" />
  </Certificates>
</ApplicationManifest>







我一直在使用它,没有您提到的应用程序无法访问证书的任何问题。也许这可以帮助您简化arm脚本:)
我已从ASF群集远程连接到虚拟机,结果发现此证书上缺少私钥权限。但我无法手动设置,因为“管理员”对此证书只有“读取”权限。出于这个原因,我将尝试修改ARM模板,使其“解除阻止”ASF群集正在运行的网络\u服务的私钥。在设置证书时,应已自动完成
网络\u服务
的ACLing。访问KeyVault的代码是什么?也许您的方法默认在
cert:\currentuser\my
中查找,这对于SF当然是不正确的!我的方法肯定是查看
localmachine/My
store。当我运行ASF本地集群时,它工作得很好。有趣的是,正如您所提到的,NETWORK_服务应该可以访问使用ARM模板安装的此类证书的私钥。显然,它没有。只有
系统
可以完全访问它。还提到了
Administrators
组,但只有
Read
权限。我已从ASF群集远程连接到虚拟机,结果发现此证书上缺少私钥权限。但我无法手动设置,因为“管理员”对此证书只有“读取”权限。出于这个原因,我将尝试修改ARM模板,使其“解除阻止”ASF群集正在运行的网络\u服务的私钥。在设置证书时,应已自动完成
网络\u服务
的ACLing。访问KeyVault的代码是什么?也许您的方法默认在
cert:\currentuser\my
中查找,这对于SF当然是不正确的!我的方法肯定是查看
localmachine/My
store。当我运行ASF本地集群时,它工作得很好。有趣的是,正如您所提到的,NETWORK_服务应该可以访问使用ARM模板安装的此类证书的私钥。显然,它没有。只有
系统
可以完全访问它。还提到了
管理员
组,但只有
读取
权限。