如何从本地运行的Docker容器访问Azure Keyvault?
zol*_*a25 7 azure docker azure-cli azure-keyvault asp.net-core
我有一个包含ASP.NET Core应用程序的docker映像,该应用程序使用Azure Key保管库访问诸如连接字符串之类的东西。在本地运行映像时,出现以下错误:
Unhandled Exception: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory
据我了解,它首先尝试获取访问令牌作为托管服务身份。由于它不在Azure云中运行,因此无法执行此操作,并尝试通过Visual Studio Connected Service获取它。由于这不会出现在Docker映像上,因此它将尝试使用Azure CLI,但是并未安装在Docker映像上。
因此,我需要将Azure CLI安装到docker映像中。考虑到Dockerfile的基本映像是FROM microsoft/dotnet:2.1-aspnetcore-runtime怎么做的?
该基本映像是否是Alpine OS映像,所以我需要查看使用Alpine安装Azure CLI吗?
假设我已经安装了Azure CLI,是否可以在不将任何凭据存储在Dockerfile源代码中或将它们通过纯文本传递到容器的情况下访问Key Vault?
更普遍的说,什么是最好的方法。
我当前的解决方案是将环境变量与访问令牌一起使用。
获取密钥并将其存储在环境变量中(在进行 az 登录并设置正确的订阅之后):
$Env:ACCESS_TOKEN=(az account get-access-token --resource=https://vault.azure.net | ConvertFrom-Json).accessToken
我们在 Visual Studio 中添加该环境变量:
将代码更改为:
config.AddEnvironmentVariables();
KeyVaultClient keyVaultClient;
var accessToken = Environment.GetEnvironmentVariable("ACCESS_TOKEN");
if (accessToken != null)
{
keyVaultClient = new KeyVaultClient(
async (string a, string r, string s) => accessToken);
}
else
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
}
config.AddAzureKeyVault(
$"https://{builtConfig["KeyVaultName"]}.vault.azure.net/",
keyVaultClient,
new DefaultKeyVaultSecretManager());
Abh*_*bhi -3
这是因为您的 docker 容器以root用户身份运行,并且在 Key Vault 中注册的用户是其他用户 (yourusername@yourcmpany.com)
- 他们怎么会是同一个用户呢?一个是Microsoft帐户,另一个是Linux用户 (2认同)