从 apim 中的 azure Key Vault 读取密钥Read a secret key from azure key vault in apim-解网

问：

我需要在 APIM 策略中验证 HMAC。hmac 机密将存储在 azure key vault 中。以下是我将在我的政策中遵循的步骤

从密钥保管库读取密钥Read the secret key from the key vault
验证 hmac

以下是我尝试过的 apim 策略

<policies>
    <inbound>
        <base />

        <!-- Fetch HMAC key from Key Vault -->
        <set-variable name="keyVaultSecretUri" value="KV_URL/secrets/SECRET_NAME" />
        <set-variable name="keyVaultClientId" value="KV_CLIENT />
        <set-variable name="keyVaultClientSecret" value="KV_SECRET" />

        <set-variable name="request" value="@{
            var keyVaultSecretUri = context.Variables["keyVaultSecretUri"];
            var keyVaultClientId = context.Variables["keyVaultClientId"];
            var keyVaultClientSecret = context.Variables["keyVaultClientSecret"];

            return new {
                method = "GET",
                url = keyVaultSecretUri,
                headers = new {
                    Authorization = "Bearer " + FetchAccessToken(keyVaultClientId, keyVaultClientSecret)
                }
            };
        }" />

        <send-request mode="new" response-variable-name="keyVaultResponse" timeout="20" ignore-error="false">
            <set-url>@(context.Variables["request"].url)</set-url>
            <set-method>@(context.Variables["request"].method)</set-method>
            <set-header name="Authorization" exists-action="override">
                <value>@(context.Variables["request"].headers.Authorization)</value>
            </set-header>
        </send-request>

        <!-- Log Key Vault Response -->
        <trace source="keyVault" severity="information">
            <message>@(context.Variables["keyVaultResponse"].Body?.ToString())</message>
        </trace>
    </inbound>
</policies>

这是我得到的错误

 One or more fields contain incorrect values:
Error in element 'set-variable' on line 22, column 10: The name 'FetchAccessToken' does not exist in the current context
Error in element 'send-request' on line 36, column 10: 'object' does not contain a definition for 'url' and no extension method 'url' accepting a first argument of type 'object' could be found (are you missing a using directive or an assembly reference?)
Error in element 'trace' on line 45, column 10: 'object' does not contain a definition for 'Body' and no extension method 'Body' accepting a first argument of type 'object' could be found (are you missing a using directive or an assembly reference?)

在上面的政策中，我只是想读取秘密并显示。我无法做到这一点。我点击了这个链接作为参考

azure-keyvault azure-api-management hmac

<policies>
    <inbound>
        <base  />
        <set-variable  name="KeyVaultSecret"  value="{{Named value name}}"  />
        <return-response>
            <set-body>@("Key Vault Secret is: "+(context.Variables["KeyVaultSecret"])+"")</set-body>
        </return-response>
    </inbound>
</policy>

我能够获取 Key Vault 机密值。

enter image description here

您需要使用如下策略 -<send-request>

<send-request mode="new" response-variable-name="keyVaultResponse" timeout="60" ignore-error="true">
    <set-url>@("pass_the_url")</set-url>
    <set-method>GET</set-method>
    <set-header name="Authorization" exists-action="override">
        <value>@(context.Request.Headers.GetValueOrDefault("Authorization", ""))</value>
    </set-header>
</send-request>

你也可以参考我在这个SO-Thread中的回答。

APIM 每 4 小时自动刷新一次 Key Vault 机密：learn.microsoft.com/en-us/azure/api-management/...。为了避免在更新密钥后 4 小时内中断验证，可以存储两个密钥，如果任一密钥验证签名，则接受调用，但在需要更新时 - 仅更新最近最不用于签名的密钥。

0赞 Sindhu1990 11/20/2023

我在问，就像在运行时只知道键名一样。那么我可以读取值而不是将其存储为名称值吗？因为这种方法似乎是针对静态数据的

上一个：将 QLineEdit 设置为仅接受数字

下一个：使用 Powershell 将 Azure KeyVault 机密从一个保管库复制到另一个保管库，支持所有字符

从 apim 中的 azure Key Vault 读取密钥Read a secret key from azure key vault in apim

Read a secret key from azure key vault in apim

评论

评论