在.NET Core中加载Azure密钥保险库的秘密是什么更好的？

发布于 2025-01-26 19:46:18 字数 760 浏览 3 评论 0 原文

我们已将ConnectInsTring值存储在Azure密钥库中。我已经阅读了两种方法来从我的.NET Core应用程序中获取秘密价值。一种是使用以下代码加载configurationManager中的所有秘密：

var keyVaultUrl = builder.Configuration["KeyVaultUrl"];
builder.Host.ConfigureAppConfiguration(builder =>
{
    builder.AddAzureKeyVault(new Uri(keyVaultUrl), new DefaultAzureCredential());
});

另一种方法是使用以下代码并获取秘密值：

string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
var kvUri = "https://" + keyVaultName + ".vault.azure.net";

var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
var secret = await client.GetSecretAsync(secretName);

在静态类中保存这些值一次，并在需要时通过应用程序使用。

哪种选项在什么情况下更适合。

还提供一些有关重新加载秘密值的输入，如果它更改。

我只有几个秘密

原文

We have stored connectionstring values in Azure Key Vault. I have read two ways to get the secret value from my .net core application.
One is to load all secrets in ConfigurationManager using the following code:

var keyVaultUrl = builder.Configuration["KeyVaultUrl"];
builder.Host.ConfigureAppConfiguration(builder =>
{
    builder.AddAzureKeyVault(new Uri(keyVaultUrl), new DefaultAzureCredential());
});

Other way is to use following code and get the secret value:

string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
var kvUri = "https://" + keyVaultName + ".vault.azure.net";

var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
var secret = await client.GetSecretAsync(secretName);

Save these values once in static class and use throughtout the application whenever required.

Which option suits better in what situation.

Also provide some inputs on Reloading the secret value if it changes.

I only have couple of secrets in my aaplication

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

阳光下慵懒的猫 2025-02-02 19:46:18

尽管两种情况都可以重复使用值的方式，但i do 都有个人喜好：使用第一个选项。

这种方法的最大优势是可以通过 iconfiguration 检索值。这意味着在整个应用程序的其余部分中，开发人员甚至不必知道价值的来源。他们可以从 ICONFIGURATION 获得设置，无论设置的来源如何。使用您的第二种方法，仍然可以重复使用从密钥库中获得值的代码，但是开发人员需要知道从哪里获得值。

就重新加载而言：在 azurekeykeyvaultConfigurationOptions 的情况下，请查看通过。这具有 ReloAdinterval 属性，这是...

timespan 在两次尝试对密钥库进行更改的尝试之间等待。默认值是 null （配置未重新加载）。

来源：

甚至更丰富的解决方案是将应用程序配置和密钥库组合在一起，以使您重新加载秘密和钥匙库自动的秘密和证书。

应用程序配置和钥匙库是在许多应用程序中并排使用的补充服务。应用程序配置可以通过在应用程序配置存储中创建键来帮助您一起使用服务，以引用存储在密钥库中的秘密或证书。由于Key Vault将证书的公共和私钥对存储为秘密，因此您的应用程序可以从Key Vault中检索任何证书作为秘密。

作为一种良好的安全惯例，应定期旋转秘密和证书。一旦将它们旋转在钥匙库中，您将希望您的应用程序选择最新的秘密和证书值。有两种方法可以实现此目的，而无需重新启动您的应用程序：

更新Sentinel键值，以触发整个配置的刷新，从而重新加载所有钥匙库的秘密和证书。有关更多信息，请参阅如何在ASP.NET Core App中使用动态配置。

定期重新加载钥匙库中的一些或所有秘密和证书。

Although both scenarios enable reusing the way of getting values, I do have a personal preference: use the first option.

The big plus for this approach is that the values are retrievable through IConfiguration. This means that throughout the rest of the application, developers don't even have to know where values come from. They can get settings from IConfiguration, no matter the origin of the setting. With your second approach, the code to get a value from Key Vault is still reusable but developers need to know where to get values from.

As far as reloading goes: have a look at passing in an instance of AzureKeyVaultConfigurationOptions. This has a ReloadInterval property, which is a ...

TimeSpan to wait between attempts at polling the key vault for changes. The default value is null (configuration isn't reloaded).

Source: Azure Key Vault configuration provider in ASP.NET Core - Configuration options

An even richer solution would be to combine App Configuration and Key Vault to enable you to Reload secrets and certificates from Key Vault automatically.

App Configuration and Key Vault are complementary services used side by side in many applications. App Configuration helps you use the services together by creating keys in your App Configuration store that reference secrets or certificates stored in Key Vault. Since Key Vault stores the public and private key pair of a certificate as a secret, your application can retrieve any certificate as a secret from Key Vault.

As a good security practice, secrets and certificates should be rotated periodically. Once they have been rotated in Key Vault, you would want your application to pick up the latest secret and certificate values. There are two ways to achieve this without restarting your application:

Update a sentinel key-value to trigger the refresh of your entire configuration, thereby reloading all Key Vault secrets and certificates. For more information, see how to use dynamic configuration in an ASP.NET Core app.

Periodically reload some or all secrets and certificates from Key Vault.