問題描述
使用Java SDK擷取Key Vault Secret機密資訊時,需要擷取授權。通常是使用AAD的注冊應用(Client ID, Tenant ID, Client Secret)來擷取 credential 對象。
new SecretClientBuilder()
.vaultUrl(keyVaultUri)
.credential(new DefaultAzureCredentialBuilder()
.authorityHost(AzureAuthorityHosts.AZURE_CHINA)
.build())
.buildClient(); 如果使用 DefaultAzureCredentialBuilder 來建立,則需要把 Client ID, Secret 和 Tenant ID 設定為環境變量。
如果不想設定環境變量,而想直接把三個參數值通過代碼傳遞,是否有示例代碼呢?
問題解答
可以的。使用 ClientSecretCredentialBuilder 就可以把Client ID,Secret 和 Tenant ID 參數顯示設定。
代碼如下:
// /**
// * Authenticate with client secret.
// */
String clientID="xxxxxxxx-8216-xxxxxxxx-8924-xxxxxxxxxxxxxxxx";
String tenantID="xxxxxxxx-66d7-xxxxxxxx-8f9f-xxxxxxxxxxxxxxxx";
String clientSecret="xxxxxxxx.3ay_aOti..4";
ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()= newcredential(clientSecretCredential) 完整代碼
package com.example.demokeyvault;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import com.azure.identity.AzureAuthorityHosts;
import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
@SpringBootApplication
public class DemokeyvaultApplication {
public static void main(String[] args) {
SpringApplication.run(DemokeyvaultApplication.class, args);
System.out.println("Hello World!");
String keyVaultUri = "https://yourkeyvaultname.vault.azure.cn/";
System.out.printf(" key vault URI = %s \n", keyVaultUri);
// String userIdentityID = " - - - - ";
// .managedIdentityClientId(userIdentityID)
// /**
// * Authenticate with client secret.
// */
String clientID = "xxxx-xxxx-xxxx-xxxx-xxxx";
String tenantID = "xxxx-xxxx-xxxx-xxxx-xxxx";
String clientSecret = "xxxx.xxxx..4";
ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
.clientId(clientID)
.clientSecret(clientSecret)
.tenantId(clientSecret)
.authorityHost(AzureAuthorityHosts.AZURE_CHINA)
.build();
SecretClient secretClientidentity = new SecretClientBuilder()
.vaultUrl(keyVaultUri)
.credential(clientSecretCredential)
.buildClient();
// /**
// * Authenticate with DefaultAzureCredentialBuilder.
// */
// SecretClient secretClientidentity = new SecretClientBuilder()
// .vaultUrl(keyVaultUri)
// .credential(new DefaultAzureCredentialBuilder()
// .authorityHost(AzureAuthorityHosts.AZURE_CHINA)
// .build())
// .buildClient();
String secretName = "testsecret01";
KeyVaultSecret retrievedSecret = secretClientidentity.getSecret(secretName);
System.out.println("Your secret's value is '" + retrievedSecret.getValue() + "'.");
System.out.println("done.");
}
} POM.XML
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.9.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demokeyvault</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demokeyvault</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-security-keyvault-secrets</artifactId>
<version>4.2.3</version>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.2.0</version>
</dependency>
<dependency>
<groupId>io.projectreactor</groupId>
<artifactId>reactor-core</artifactId>
<version>3.4.19</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project> 參考資料
Client secret credential : https://learn.microsoft.com/en-us/azure/developer/java/sdk/identity-service-principal-auth#client-secret-credential
适用于 Java 的 Azure Key Vault 機密用戶端庫 : https://docs.azure.cn/zh-cn/key-vault/secrets/quick-create-java?tabs=azure-cli
![MyBatis-Plus 之AR模式[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)