Node.js 如何在节点中使用Azure托管服务标识访问密钥保管库?
我按照说明创建托管服务标识。现在在我的环境变量中,有了MSI_端点和MSI_SECRET 在我的typescript(node.js)项目中,我导入了以下项目:Node.js 如何在节点中使用Azure托管服务标识访问密钥保管库?,node.js,azure,typescript,adal,azure-keyvault,Node.js,Azure,Typescript,Adal,Azure Keyvault,我按照说明创建托管服务标识。现在在我的环境变量中,有了MSI_端点和MSI_SECRET 在我的typescript(node.js)项目中,我导入了以下项目: import {KeyVaultCredentials, KeyVaultClient} from "azure-keyvault"; import {AuthenticationContext, ErrorResponse, TokenResponse} from "adal-node"; 如果我没有使用MSI,我可以使用以下代码访
import {KeyVaultCredentials, KeyVaultClient} from "azure-keyvault";
import {AuthenticationContext, ErrorResponse, TokenResponse} from "adal-node";
如果我没有使用MSI,我可以使用以下代码访问我的密钥库:
let keyVaultCredentials = new KeyVaultCredentials(KeyVault.createAuthenticator(this.clientID, this.clientKey));
let keyVaultClient = new KeyVaultClient(keyVaultCredentials);
private static createAuthenticator(clientID: string, clientKey: string){
return (challenge, callback) => {
let context = new AuthenticationContext(challenge.authorization);
return context.acquireTokenWithClientCredentials(
challenge.resource,
clientID,
clientKey,
function (err, tokenResponse:TokenResponse | ErrorResponse) {
if (err) {
CLogger.log("error", "Error occurred while acquiring token with key vault credentials: " + JSON.stringify(err));
throw new Error("Error occurred while acquiring token with key vault credentials. Check log files");
}
if(<TokenResponse>tokenResponse){
let authorizationValue = (<TokenResponse>tokenResponse).tokenType + " " + (<TokenResponse>tokenResponse).accessToken;
return callback(null, authorizationValue);
}
});
}
}
let keyVaultCredentials=新的keyVaultCredentials(KeyVault.createAuthenticator(this.clientID,this.clientKey));
让keyVaultClient=新的keyVaultClient(keyVaultCredentials);
私有静态createAuthenticator(clientID:string,clientKey:string){
返回(质询、回调)=>{
let context=newauthenticationcontext(challenge.authorization);
返回context.acquireTokenWithClientCredentials(
挑战资源,
clientID,
clientKey,
函数(err,tokenResponse:tokenResponse | ErrorResponse){
如果(错误){
blogger.log(“错误”,“获取具有密钥保险库凭据的令牌时出错:”+JSON.stringify(err));
抛出新错误(“获取具有密钥vault凭据的令牌时出错。请检查日志文件”);
}
如果(令牌响应){
让authorizationValue=(tokenResponse).tokenType++(tokenResponse).accessToken;
返回回调(null,authorizationValue);
}
});
}
}
我不知道如何在启用MSI的情况下获取访问令牌,请提供帮助。使用ms rest azure的loginWithAppServiceMSI()方法将自动检测您是否在Web应用程序上,并从MSI端点获取令牌。那么,代码就是:
function getKeyVaultCredentials(){
return msRestAzure.loginWithAppServiceMSI({resource: 'https://vault.azure.net'});
}
function getKeyVaultSecret(credentials) {
let keyVaultClient = new KeyVault.KeyVaultClient(credentials);
return keyVaultClient.getSecret(KEY_VAULT_URI, 'secret', "");
}
getKeyVaultCredentials().then(
getKeyVaultSecret
).then(function (secret){
console.log(`Your secret value is: ${secret.value}.`);
}).catch(function (err) {
throw (err);
});
我建议您使用新的Azure SDK for js检查完整文档,您可以通过从package@Azure/identity实现类DefaultAzureCredential来使用托管服务验证您的应用程序
const{DefaultAzureCredential}=require('@azure/identity');
const{SecretClient}=require('@azure/keyvault secrets');
const credential=新的DefaultAzureCredential();
const vaultName=“”;
constURL=`https://${vaultName}.vault.azure.net`;
const client=新的SecretClient(url、凭证);
client.setSecret(secretName,“MySecretValue”);
…..