我已经在这个问题上卡住了很长一段时间了,没有运气靠自己推进它。
我正在尝试使用MSI令牌从Azure应用服务连接到EF CodeFirst托管数据库。
当我使用ARM部署App Service时,我生成了一个输出,确保它创建了一个Service Principal:
{"principalId":"98f2c1f2-0a86-4ff1-92db-d43ec0edxxxx","tenantId":"e6d2d4cc-b762-486e-8894-4f5f440dxxxx","type":"SystemAssigned"}
字符串
在Kudu中,环境变量显示它正在安装:
MSI_ENDPOINT = http://127.0.0.1:41239/MSI/token/MSI_SECRET = 7C1B16Fxxxxxxxxxxxxx
型
我在Azure Portal中提供了如下连接字符串:
Data Source=nzmoebase0000bt.database.windows.net;Initial Catalog=nzmoebase0001bt;Connect Timeout=300;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=300;
型
我已将主体作为所有者添加到数据库中。
Note: I cannot do the same for the master db.
型
该令牌被添加到DbContext中,如下所示:
正在使用以下方式添加令牌:
static async Task AttachAccessTokenToDbConnection(IDbConnection dbConnection){SqlConnection sqlConnection = dbConnection as SqlConnection;if (sqlConnection == null){return;}string msiEndpoint = Environment.GetEnvironmentVariable("MSI_ENDPOINT");if (string.IsNullOrEmpty(msiEndpoint)){return;}var msiSecret = Environment.GetEnvironmentVariable("MSI_SECRET");if (string.IsNullOrEmpty(msiSecret)){return;}// To get around:// "Cannot set the AccessToken property if 'UserID', 'UID', 'Password', or 'PWD' has been specified in connection string."var terms = new[] {"UserID","Password","PWD=","UID=" };string connectionString = dbConnection.ConnectionString;foreach (var term in terms){if (connectionString.Contains(term, StringComparison.InvariantCultureIgnoreCase)){return;}}string accessToken = await AppCoreDbContextMSITokenFactory.GetAzureSqlResourceTokenAsync();sqlConnection.AccessToken = accessToken;}
型
在启用跟踪的情况下,令牌为:
.eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI....
型
使用jwt.io解码得到:
{"typ": "JWT","alg": "RS256","x5t": "FSimuFrFNoC0sJXGmv13nNZceDc","kid": "FSimuFrFNoC0sJXGmv13nNZceDc"}.{"aud": "https://database.windows.net/","iss": "https://sts.windows.net/e6d2d4cc-b762-486e-8894-4f5f440dxxxx/","iat": 1522783025,"nbf": 1522783025,"exp": 1522786925,"aio": "Y2NgYPjNdyJd9zrzpLavJSEzNIuPAAA=","appid": "d1057cea-461b-4946-89a9-d76439c2xxxx","appidacr": "2","e_exp": 262800,"idp": "https://sts.windows.net/e6d2d4cc-b762-486e-8894-4f5f440dxxxx/","oid": "98f2c1f2-0a86-4ff1-92db-d43ec0edxxxx","sub": "98f2c1f2-0a86-4ff1-92db-d43ec0edxxxx","tid": "e6d2d4cc-b762-486e-8894-4f5f440dxxxx","uti": "59bqKWiSL0Gf0bTCI0AAAA","ver": "1.0"}.[Signature]
型
我添加了Persist Security Info = True根据网上的几个建议,但没有什么可检测的.
Data Source=nzmoebase0000bt.database.windows.net;Initial Catalog=nzmoebase0001bt;MultipleActiveResultSets=False;Persist Security Info = True;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;
型
我得到的错误是:
[InvalidOperationException: This operation requires a connection to the 'master' database. Unable to create a connection to the 'master' database because the original database connection has been opened and credentials have been removed from the connection string. Supply an unopened connection.]
型
有没有人使用CodeFirst、Migrations和MSI连接到数据库?在这一点上,经过几个星期的真正卡住,我开始怀疑这是否可能。
谢谢你的任何帮助--即使只是证明它可以工作,首先。
2条答案
按热度按时间alen0pnh1#
不幸的是,据我所知,没有。一个主要的绊脚石,以一个项目,不得不回落到不安全的密码/密码加载连接字符串。
92vpleto2#
您可以在SQL连接上设置访问令牌,如下所示:
1.安装
Microsoft.Azure.Services.AppAuthenticationnuget包1.这样设置你的上下文类:
字符串