我有一个包含Azure核心应用程序的docker镜像,该应用程序使用ASP.NET密钥库来访问连接字符串等内容。当我在本地运行镜像时,我得到这个错误:
Unhandled Exception: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set.
Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory
据我所知,它首先尝试获取访问令牌作为托管服务标识。由于它不是在Azure云中运行,它无法做到这一点,并尝试通过visual studio连接服务获取它。由于这不会在docker镜像上,它会尝试使用Azure CLI,但这不会安装在docker镜像上。
因此,我需要将Azure CLI安装到docker镜像中。假设Dockerfile的基础镜像是FROM microsoft/dotnet:2.1-aspnetcore-runtime
,如何做到这一点?
此基础映像是否为阿尔卑斯山操作系统映像,因此我是否需要考虑使用阿尔卑斯山安装Azure CLI?
假设我安装了Azure CLI,有没有一种方法可以访问密钥库,而不需要在Dockerfile源代码中存储任何凭据,或者通过纯文本将它们传递给容器?
更普遍的是,这里最好的方法是什么。
发布于 2020-04-29 17:27:13
我当前的解决方案是将环境变量与访问令牌一起使用。
获取密钥并存储在环境变量中(在执行az登录并设置正确的订阅之后):
$Env:ACCESS_TOKEN=(az account get-access-token --resource=https://vault.azure.net | ConvertFrom-Json).accessToken
我们在Visual Studio中添加环境变量:
将代码更改为:
config.AddEnvironmentVariables();
KeyVaultClient keyVaultClient;
var accessToken = Environment.GetEnvironmentVariable("ACCESS_TOKEN");
if (accessToken != null)
{
keyVaultClient = new KeyVaultClient(
async (string a, string r, string s) => accessToken);
}
else
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
}
config.AddAzureKeyVault(
$"https://{builtConfig["KeyVaultName"]}.vault.azure.net/",
keyVaultClient,
new DefaultKeyVaultSecretManager());
发布于 2020-07-28 05:30:46
虽然您提出这个问题已经有一段时间了,但是另一个适合生产环境的选择是使用x509证书。
微软的this article解释了如何做到这一点。您可以使用自签名证书或任何其他有效的SSL证书。这取决于您的需求。
https://stackoverflow.com/questions/55247997
复制相似问题