.net-core – 存储Azure Vault客户端ID和客户端密钥

如果您有Azure Web App,则至少有下一个内置选项(from the documentation)：

• add the ClientId and ClientSecret values for the AppSettings in the Azure portal. By doing this,the actual values will not be in the web.config but protected via the Portal where you have separate access control capabilities. These values will be substituted for the values that you entered in your web.config. Make sure that the names are the same.

• authenticate an Azure AD application is by using a Client ID and a Certificate instead of a Client ID and Client Secret. Following are the steps to use a Certificate in an Azure Web App:

  • Get or Create a Certificate
  • Associate the Certificate with an Azure AD application
  • Add code to your Web App to use the Certificate
  • Add a Certificate to your Web App

您还可以找到一种使用env变量来存储凭据的方法.只有在可以保证不能在prod机器上执行env变量的快照时,这可能没问题.请查看Environment Variables Considered Harmful for Your Secrets了解更多详情.

最后一件事：还有一种基于这个想法的技术,你需要存储/传递ClientSecret值,而ClientId应该根据托管App的机器/容器细节构建(例如docker container id) .我找到了一个Hashicorp Vault和一个在AWS上托管的应用程序的示例,但总的想法是相同的：Secret management with Vault