【发布时间】:2019-05-29 08:19:59
【问题描述】:
我正在尝试使用 azure 存储帐户测试客户端加密。到目前为止,我已经创建了一个资源组并将我的 KeyVault、已注册的应用程序放在 Active Directory 上,并在我的 keyVault 中创建了一个秘密。
我认为我未能将我的秘密映射到我的存储帐户,但我认为如果它们位于同一资源组中,它们应该可以工作。
$key = "qwertyuiopasdfgh"
$b = [System.Text.Encoding]::UTF8.GetBytes($key)
$enc = [System.Convert]::ToBase64String($b)
$secretvalue = ConvertTo-SecureString $enc -AsPlainText -Force
$secret = Set-AzureKeyVaultSecret -VaultName 'ectotecStorageKeyVault' -Name 'ectotecSecret' -SecretValue $secretvalue -ContentType "application/octet-stream"
问题是我得到一个无效的秘密提供错误,代码如下:
namespace cifradoApp
{
class Program
{
private async static Task<string> GetToken(string authority, string resource, string scope)
{
var authContext = new AuthenticationContext(authority);
ClientCredential clientCred = new ClientCredential(
ConfigurationManager.AppSettings["clientId"],
ConfigurationManager.AppSettings["clientSecret"]);
AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);
if (result == null)
throw new InvalidOperationException("Failed to obtain the JWT token");
return result.AccessToken;
}
static void Main(string[] args)
{
// This is standard code to interact with Blob storage.
StorageCredentials creds = new StorageCredentials(
ConfigurationManager.AppSettings["accountName"],
ConfigurationManager.AppSettings["accountKey"]
);
CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true);
CloudBlobClient client = account.CreateCloudBlobClient();
CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]);
contain.CreateIfNotExists();
// The Resolver object is used to interact with Key Vault for Azure Storage.
// This is where the GetToken method from above is used.
KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);
// Retrieve the key that you created previously.
// The IKey that is returned here is an RsaKey.
// Remember that we used the names contosokeyvault and testrsakey1.
var rsa = cloudResolver.ResolveKeyAsync("https://ectotecstoragekeyvault.vault.azure.net/secrets/ectotecSecret/dee97a40c78a4638bbb3fa0d3e13f75e", CancellationToken.None).GetAwaiter().GetResult();
// Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.
BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);
BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };
// Reference a block blob.
CloudBlockBlob blob = contain.GetBlockBlobReference("BlobPruebaEncrypted.txt");
// Upload using the UploadFromStream method.
using (var stream = System.IO.File.OpenRead(@"C:\Users\moise\Desktop\ectotec stuff\Visual Studio\azureStorageSample\container\BlobPrueba.txt"))
blob.UploadFromStream(stream, stream.Length, null, options, null);
}
}
}
我的应用程序设置似乎工作正常,因为我之前只使用我的帐户和访问存储帐户的密钥进行验证,因为我在没有尝试进行客户端加密的情况下进行了测试,所以一切正常。问题与它看起来的秘密有关。
尝试将某些内容上传到我的存储帐户容器(BLOB)时出错
AdalException: {"error":"invalid_client","error_description":"AADSTS70002: 验证凭据时出错。AADSTS50012: 提供了无效的客户端密码。\r\n跟踪 ID: 52047a12-b950-4d8a-9206-120e383feb00\r \n相关 ID:e2ad8afe-4272-49aa-94c0-5dad435ffc45\r\n时间戳:2019-01-02 17:10:32Z","error_codes":[70002,50012],"timestamp":"2019-01-02 17:10:32Z","trace_id":"52047a12-b950-4d8a-9206-120e383feb00","correlation_id":"e2ad8afe-4272-49aa-94c0-5dad435ffc45"}:未知错误
<appSettings>
<add key="accountName" value="sampleExample"/>
<add key="accountKey" value="KeyForMyApp"/>
<add key="clientId" value="app-id"/>
<add key="clientSecret" value="qwertyuiopasdfgh"/>
<add key="container" value="ectotec-sample2"/>
</appSettings>
我正在尝试复制本教程中的示例:
https://docs.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault
【问题讨论】:
-
您是否已授予应用访问权限以读取 Key Vault 中的机密?这与在 KV 上拥有 RBAC 权限是分开的。
-
我没有。这实际上是我一直试图找出方法,但我一无所知。任何英特尔都将不胜感激。
-
见下方答案
标签: c# encryption azure-storage azure-keyvault