The documentation you are viewing is for Dapr v1.4 which is an older version of Dapr. For up-to-date documentation, see the latest version.

Azure Key Vault 密钥仓库

详细介绍了关于 Azure Key Vault密钥仓库组件的信息

配置

要设置Azure Key Vault密钥仓库，请创建一个类型为secretstores.azure.keyvault的组件。 See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

也请参见本页面中的配置组件指南。

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: [your_keyvault_name]
  - name: spnTenantId
    value: "[your_service_principal_tenant_id]"
  - name: spnClientId
    value: "[your_service_principal_app_id]"
    value : "[pfx_certificate_contents]"
  - name: spnCertificateFile
    value : "[pfx_certificate_file_fully_qualified_local_path]"

Warning

以上示例将密钥明文存储， It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.

Authenticating with Azure AD

The Azure Key Vault secret store component supports authentication with Azure AD only. Before you enable this component, make sure you’ve read the Authenticating to Azure document and created an Azure AD application (also called Service Principal). Alternatively, make sure you have created a managed identity for your application platform.

元数据字段规范

字段	必填	详情	示例
`vaultName`	Y	Azure Key Vault名称	`"mykeyvault"`
`azureEnvironment`	N	Optional name for the Azure environment if using a different Azure cloud	`"AZUREPUBLICCLOUD"` (default value), `"AZURECHINACLOUD"`, `"AZUREUSGOVERNMENTCLOUD"`, `"AZUREGERMANCLOUD"`

Additionally, you must provide the authentication fields as explained in the Authenticating to Azure document.

Create the Azure Key Vault and authorize the Service Principal

先决条件

Azure Subscription
Azure CLI
jq
The scripts below are optimized for a bash or zsh shell

Make sure you have followed the steps in the Authenticating to Azure document to create an Azure AD application (also called Service Principal). You will need the following values:

SERVICE_PRINCIPAL_ID: the ID of the Service Principal that you created for a given application

步骤

Set a variable with the Service Principal that you created:

SERVICE_PRINCIPAL_ID="[your_service_principal_object_id]"

Set a variable with the location where to create all resources:

LOCATION="[your_location]"

(You can get the full list of options with: az account list-locations --output tsv)

Create a Resource Group, giving it any name you’d like:

RG_NAME="[resource_group_name]"
RG_ID=$(az group create \
  --name "${RG_NAME}" \
  --location "${LOCATION}" \
  | jq -r .id)

Create an Azure Key Vault (that uses Azure RBAC for authorization):

KEYVAULT_NAME="[key_vault_name]"
az keyvault create \
  --name "${KEYVAULT_NAME}" \
  --enable-rbac-authorization true \
  --resource-group "${RG_NAME}" \
  --location "${LOCATION}"

Using RBAC, assign a role to the Azure AD application so it can access the Key Vault.
In this case, assign the “Key Vault Crypto Officer” role, which has broad access; other more restrictive roles can be used as well, depending on your application.

az role assignment create \
  --assignee "${SERVICE_PRINCIPAL_ID}" \
  --role "Key Vault Crypto Officer" \
  --scope "${RG_ID}/providers/Microsoft.KeyVault/vaults/${KEYVAULT_NAME}"

To use a client secret, create a file called azurekeyvault.yaml in the components directory, filling in with the Azure AD application that you created following the Authenticating to Azure document:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: "[your_keyvault_name]"
  - name: azureTenantId
    value: "[your_tenant_id]"
  - name: azureClientId
    value: "[your_client_id]"
  - name: azureClientSecret
    value : "[your_client_secret]"

If you want to use a certificate saved on the local disk, instead, use this template, filling in with details of the Azure AD application that you created following the Authenticating to Azure document:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: "[your_keyvault_name]"
  - name: azureTenantId
    value: "[your_tenant_id]"
  - name: azureClientId
    value: "[your_client_id]"
  - name: azureCertificateFile
    value : "[pfx_certificate_file_fully_qualified_local_path]"

In Kubernetes, you store the client secret or the certificate into the Kubernetes Secret Store and then refer to those in the YAML file. You will need the details of the Azure AD application that was created following the Authenticating to Azure document.

To use a client secret:

Create a Kubernetes secret using the following command:
```
kubectl create secret generic [your_k8s_secret_name] --from-literal=[your_k8s_secret_key]=[your_client_secret]
```
- [your_client_secret] is the application’s client secret as generated above
- [your_k8s_secret_name] is secret name in the Kubernetes secret store
- [your_k8s_secret_key] is secret key in the Kubernetes secret store

Create an azurekeyvault.yaml component file.

The component yaml refers to the Kubernetes secretstore using auth property and secretKeyRef refers to the client secret stored in the Kubernetes secret store.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: "[your_keyvault_name]"
  - name: azureTenantId
    value: "[your_tenant_id]"
  - name: azureClientId
    value: "[your_client_id]"
  - name: azureClientSecret
    secretKeyRef:
      name: "[your_k8s_secret_name]"
      key: "[your_k8s_secret_key]"
auth:
  secretStore: kubernetes

Apply the azurekeyvault.yaml component:
```
kubectl apply -f azurekeyvault.yaml
```

To use a certificate:

Create a Kubernetes secret using the following command:
```
kubectl create secret generic [your_k8s_secret_name] --from-file=[your_k8s_secret_key]=[pfx_certificate_file_fully_qualified_local_path]
```
- [pfx_certificate_file_fully_qualified_local_path] is the path of PFX file you obtained earlier
- [your_k8s_secret_name] is secret name in the Kubernetes secret store
- [your_k8s_secret_key] is secret key in the Kubernetes secret store

Create an azurekeyvault.yaml component file.

The component yaml refers to the Kubernetes secretstore using auth property and secretKeyRef refers to the certificate stored in the Kubernetes secret store.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: "[your_keyvault_name]"
  - name: azureTenantId
    value: "[your_tenant_id]"
  - name: azureClientId
    value: "[your_client_id]"
  - name: azureCertificate
    secretKeyRef:
      name: "[your_k8s_secret_name]"
      key: "[your_k8s_secret_key]"
auth:
  secretStore: kubernetes

Apply the azurekeyvault.yaml component:
```
kubectl apply -f azurekeyvault.yaml
```

参考资料

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.