问题
I am running a docker container consisting of a asp.net core 2.2 api. This api needs access to Azure key vault and I have signed in into Visual studio with a user that has the right access policies on the Key Vault to retrieve secrets. However, when I use visual studio tools for docker to debug the container, this particular sign in does not seem to propogate inside the container running locally. But when i run the application locally(without running it in docker container) the asp net core configuration provider seems to pick up my visual studio login. Any pointers on this is helpful
回答1:
I had the same problem with docker and MSI on my mac. I ended up doing the following workaround:
First get an access token from CLI and set it to environment (and remember pass it to docker)
export ACCESS_TOKEN=$(az account get-access-token --resource=https://vault.azure.net | jq -r .accessToken)
In the code, pick it up if token is in environment:
KeyVaultClient keyVaultClient;
var accessToken = Environment.GetEnvironmentVariable("ACCESS_TOKEN");
if (accessToken!=null)
{
keyVaultClient = new KeyVaultClient(
async (string a, string r, string s)=> accessToken);
}
else
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
}
回答2:
One more option, which avoids secret injection, is to use the device code authentication flow to obtain a user_impersonation access token. The downside, the developer must manually complete the flow every time the container starts up.
These posts outline the process, https://joonasw.net/view/device-code-flow https://blog.simonw.se/getting-an-access-token-for-azuread-using-powershell-and-device-login-flow/ Use the powershell clientId to avoid registering a new tenant app. Works like a charm.
来源:https://stackoverflow.com/questions/54880080/azure-managed-identity-from-within-a-docker-container-running-locally