Articles Authentication to Azure by Arcus Security Team

emailx45

emailx45

Бывалый
Staff member
Moderator
Authentication to Azure
Arcus Security Team - Date: ?
[SHOWTOGROUPS=4,20]
Authentication
As of today we support a few authentication mechanisms.

Managed Service Identity
You can use Managed Service Identity to delegate the authentication to Azure via ManagedServiceIdentityAuthenticator.

This is the recommended approach to interact with Azure Key Vault.
Code: 
var vaultAuthenticator = new ManagedServiceIdentityAuthenticator();
var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri);
var keyVaultSecretProvider = new KeyVaultSecretProvider(vaultAuthenticator, vaultConfiguration);
If you require more control over the authentication mechanism you can optionally specify an AzureServiceTokenProvider connection string &/or Azure AD instance.
Code: 
var connectionString = Configuration.GetConnectionString("Arcus:MSI:ConnectionString");
var azureAdInstance = Configuration.GetValue<string>("Arcus:MSI:AzureAdInstance");
var vaultAuthenticator = new ManagedServiceIdentityAuthenticator(connectionString, azureAdInstance);
var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri);
var keyVaultSecretProvider = new KeyVaultSecretProvider(vaultAuthenticator, vaultConfiguration);
See Service-to-service authentication to Azure Key Vault using .NET - Connection String Support for supported connection strings and National clouds - Azure AD authentication endpoints for valid azure AD instances

Service Principle
Authentication via username and password is supported with the ServicePrincipalAuthenticator.
Code: 
var clientId = Configuration.GetValue<string>("Arcus:ServicePrincipal:ClientId");
var clientKey = Configuration.GetValue<string>("Arcus:ServicePrincipal:AccessKey");

var vaultAuthenticator = new ServicePrincipalAuthenticator(clientId, clientKey);
var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri);
var keyVaultSecretProvider = new KeyVaultSecretProvider(vaultAuthenticator, vaultConfiguration);
Certificate
Authentication via client ID and certificate is supported with the CertifidateBasedAuthentication.
Code: 
var clientId = Configuration.GetValue<string>("Arcus:ServicePrincipal:ClientId");
X509Certificate2 certificate = ...

var vaultAuthenticator = new CertificateBasedAuthentication(clientId, certificate);
var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri);
var keyVaultSecretProvider = new KeyVaultSecretProvider(vaultAuthenticator, vaultConfiguration);
[/SHOWTOGROUPS]
 
You must log in or register to reply here.
Top