使用MSI访问C#Net中的Azure密钥库
因为我是Azure的新手,所以这个问题可能很愚蠢。我正在尝试构建一个服务来提供和管理虚拟机集群。出于安全考虑,我不想在每个集群上放置一些敏感数据。因此,我决定为每个集群提供一个Azure密钥库来存储这些数据,并创建一个MSI(托管标识)并分派到集群的每个节点,以便vm可以访问密钥库来获取机密 在服务端,我需要配置VM、密钥库和MSI。将MSI分配给每个VM,同时向MSI授予访问AKV的权限。以下是我的问题:使用MSI访问C#Net中的Azure密钥库,azure,azure-active-directory,azure-keyvault,azure-managed-identity,azure-rbac,Azure,Azure Active Directory,Azure Keyvault,Azure Managed Identity,Azure Rbac,因为我是Azure的新手,所以这个问题可能很愚蠢。我正在尝试构建一个服务来提供和管理虚拟机集群。出于安全考虑,我不想在每个集群上放置一些敏感数据。因此,我决定为每个集群提供一个Azure密钥库来存储这些数据,并创建一个MSI(托管标识)并分派到集群的每个节点,以便vm可以访问密钥库来获取机密 在服务端,我需要配置VM、密钥库和MSI。将MSI分配给每个VM,同时向MSI授予访问AKV的权限。以下是我的问题: 系统MSI与用户MSI,因为集群将有多个节点,为了减少配置整个集群的延迟,用户MSI可能
az login
az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
az login
az account get-access-token
az login
az account get-access-token
b。调用restapi
curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroup
s/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>?api-version=2015-08-31-preview' -X PUT -d '{"loc
ation": "<LOCATION>"}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}?api-version=2018-02-14
Header :
Content-Type: application/json
Authorization: Bearer <ACCESS TOKEN>
Body
{
"location": "westus",
"properties": {
"tenantId": "<your tenant id>",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "<your tenant id>",
"objectId": "<the object id of the MSI>",
"permissions": {
"keys": [
"encrypt",
"decrypt",
"wrapKey",
"unwrapKey",
"sign",
"verify",
"get",
"list",
"create",
"update",
"import",
"delete",
"backup",
"restore",
"recover",
"purge"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover",
"purge"
],
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover",
"purge"
]
}
}
],
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true
}
}
b。调用restapi
curl 'https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroup
s/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>?api-version=2015-08-31-preview' -X PUT -d '{"loc
ation": "<LOCATION>"}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.KeyVault/vaults/{vaultName}?api-version=2018-02-14
Header :
Content-Type: application/json
Authorization: Bearer <ACCESS TOKEN>
Body
{
"location": "westus",
"properties": {
"tenantId": "<your tenant id>",
"sku": {
"family": "A",
"name": "standard"
},
"accessPolicies": [
{
"tenantId": "<your tenant id>",
"objectId": "<the object id of the MSI>",
"permissions": {
"keys": [
"encrypt",
"decrypt",
"wrapKey",
"unwrapKey",
"sign",
"verify",
"get",
"list",
"create",
"update",
"import",
"delete",
"backup",
"restore",
"recover",
"purge"
],
"secrets": [
"get",
"list",
"set",
"delete",
"backup",
"restore",
"recover",
"purge"
],
"certificates": [
"get",
"list",
"delete",
"create",
"import",
"update",
"managecontacts",
"getissuers",
"listissuers",
"setissuers",
"deleteissuers",
"manageissuers",
"recover",
"purge"
]
}
}
],
"enabledForDeployment": true,
"enabledForDiskEncryption": true,
"enabledForTemplateDeployment": true
}
}
b。密码有关更多详细信息,请参阅
//请安装Microsoft.Azure.Management.Fluent软件包
var credentials=SdkContext.AzureCredentialsFactory
.FromServicePrincipal(,
,
租户,
AzureEnvironment.AzureGlobalCloud);
var azure=Microsoft.azure.Management.Fluent.azure
.Configure()
.验证(凭据)
.认购(“”);
var vault=await azure.Vaults.Define(“”)
.WithRegion(亚洲东南部地区)
.现有资源组(“组名”)
.DefineAccessPolicy()
.ForObjectId(“msi的对象id”)
.AllowCertificateAllPermissions()
.AllowKeyAllPermissions()
.AllowSecretAllPermissions()
附(
.WithDeploymentEnabled()
.WithDiskEncryptionEnabled()
.WithTemplateDeploymentEnabled()
.WithSku(Microsoft.Azure.Management.KeyVault.Fluent.Models.SkuName.Standard)
.CreateAsync()