若要运行本文中的示例,请创建 Microsoft Entra 应用程序和可以访问资源的服务主体。 可以在订阅范围添加角色分配,并获取所需的 Microsoft Entra Directory (tenant) ID、Application ID 和 Application Secret。
以下代码片段演示如何使用 Microsoft 身份验证库 (MSAL) 获取 Microsoft Entra 应用程序令牌以访问你的群集。 若要此流成功,应用程序必须注册到 Microsoft Entra ID,并且你必须有用于应用程序身份验证的凭据,例如 Microsoft Entra ID 颁发的应用程序密钥或向 Microsoft Entra 注册的 X.509v2 证书。
配置客户管理的密钥
默认情况下,Azure 数据资源管理器加密使用 Microsoft 托管密钥。 将 Azure 数据资源管理器群集配置为使用客户托管密钥,并指定要与群集关联的密钥。
使用以下代码更新群集:
var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; // Azure AD Directory (tenant) ID
var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; // Application ID
var clientSecret = "PlaceholderClientSecret"; // Application secret
var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";
var credentials = new ClientSecretCredential(tenantId, clientId, clientSecret);
var resourceManagementClient = new ArmClient(credentials, subscriptionId);
var resourceGroupName = "testrg";
var clusterName = "mykustocluster";
var subscription = await resourceManagementClient.GetDefaultSubscriptionAsync();
var resourceGroup = (await subscription.GetResourceGroupAsync(resourceGroupName)).Value;
var clusters = resourceGroup.GetKustoClusters();
var cluster = (await clusters.GetAsync(clusterName)).Value;
var clusterPatch = new KustoClusterPatch(cluster.Data.Location)
{
KeyVaultProperties = new KustoKeyVaultProperties
{
KeyName = "<keyName>",
KeyVersion = "<keyVersion>", // Optional, leave as NULL for the latest version of the key.
KeyVaultUri = new Uri("https://<keyVaultName>.vault.azure.cn/"),
UserIdentity = "/subscriptions/<identitySubscriptionId>/resourcegroups/<identityResourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identityName>" // Use NULL if you want to use system assigned identity.
}
};
await cluster.UpdateAsync(WaitUntil.Completed, clusterPatch);
运行以下命令,检查群集是否已成功更新:
var clusterData = (await resourceGroup.GetKustoClusterAsync(clusterName)).Value.Data;