在 GitHub Actions 中使用密钥保管库对 Azure Spring Cloud 进行身份验证Authenticate Azure Spring Cloud with Key Vault in GitHub Actions

密钥保管库是存储密钥的安全位置。Key vault is a secure place to store keys. 企业用户需要在其控制的作用域内存储 CI/CD 环境的凭据。Enterprise users need to store credentials for CI/CD environments in scope that they control. 用于在密钥保管库中获取凭据的密钥应限制到资源作用域。The key to get credentials in the key vault should be limited to resource scope. 它只能访问密钥保管库作用域,不能访问整个 Azure 作用域。It has access to only the key vault scope, not the entire Azure scope. 它类似于只能打开保险柜的钥匙,而不是可以打开建筑物内所有门的万能钥匙。It's like a key that can only open a strong box not a master key that can open all doors in a building. 这是一种使用一个密钥获取另一个密钥的方法,适用于 CICD 工作流。It's a way to get a key with another key, which is useful in a CICD workflow.

生成凭据Generate Credential

若要生成用于访问密钥保管库的密钥,请在本地计算机上执行以下命令:To generate a key to access the key vault, execute command below on your local machine:

az ad sp create-for-rbac --role contributor --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.KeyVault/vaults/<KEY_VAULT> --sdk-auth

--scopes 参数指定的作用域限制了对资源的密钥访问。The scope specified by the --scopes parameter limits the key access to the resource. 它只能访问保险柜。It can only access the strong box.

结果如下:With results:

{
    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",
    "activeDirectoryEndpointUrl": "https://login.partner.microsoftonline.cn",
    "resourceManagerEndpointUrl": "https://management.chinacloudapi.cn/",
    "sqlManagementEndpointUrl": "https://management.core.chinacloudapi.cn:8443/",
    "galleryEndpointUrl": "https://gallery.azure.com/",
    "managementEndpointUrl": "https://management.core.chinacloudapi.cn/"
}

然后,按设置 GitHub 存储库并进行 Azure 身份验证中所述,将结果保存到 GitHub 机密。Then save the results to GitHub secrets as described in Set up your GitHub repository and authenticate with Azure.

添加凭据的访问策略Add Access Policies for the Credential

在上文中创建的凭据只能获取密钥保管库的一般信息,不能获取其存储的内容。The credential you created above can get only general information about the Key Vault, not the contents it stores. 若要获取密钥保管库中存储的机密,需设置凭据的访问策略。To get secrets stored in the Key Vault, you need set access policies for the credential.

转到 Azure 门户中的“密钥保管库”仪表板,单击“访问控制”菜单,然后打开“角色分配”选项卡 。为“类型”选择“应用”,为“作用域”选择 This resourceGo to the Key Vault dashboard in Azure portal, click the Access control menu, then open the Role assignments tab. Select Apps for Type and This resource for scope. 应看到在上一步中创建的凭据:You should see the credential you created in previous step:

设置访问策略

复制凭据名称,例如 azure-cli-2020-01-19-04-39-02Copy the credential name, for example, azure-cli-2020-01-19-04-39-02. 打开“访问策略”菜单,然后单击“+添加访问策略”链接 。Open the Access policies menu, click +Add Access Policy link. 为“模板”选择 Secret Management,然后选择“主体” 。Select Secret Management for Template, then select Principal. 将凭据名称粘贴到“主体”/“选择”输入框 :Paste the credential name in Principal/Select input box:

Select

单击“添加访问策略”对话框中的“添加”按钮,然后单击“保存” 。Click the Add button in the Add access policy dialog, then click Save.

生成全作用域 Azure 凭据Generate full-scope Azure Credential

这是打开建筑物内所有门的万能钥匙。This is the master key to open all doors in the building. 该过程类似于上一步,但这里我们要更改作用域以生成主密钥:The procedure is similar to the previous step, but here we change the scope to generate the master key:

az ad sp create-for-rbac --role contributor --scopes /subscriptions/<SUBSCRIPTION_ID> --sdk-auth

同样,结果如下:Again, results:

{
    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",
    "activeDirectoryEndpointUrl": "https://login.partner.microsoftonline.cn",
    "resourceManagerEndpointUrl": "https://management.chinacloudapi.cn/",
    "sqlManagementEndpointUrl": "https://management.core.chinacloudapi.cn:8443/",
    "galleryEndpointUrl": "https://gallery.azure.com/",
    "managementEndpointUrl": "https://management.core.chinacloudapi.cn/"
}

复制整个 JSON 字符串。Copy the entire JSON string. 返回到“密钥保管库”仪表板。Bo back to Key Vault dashboard. 打开“机密”菜单,然后单击“生成/导入”按钮 。Open the Secrets menu, then click the Generate/Import button. 输入机密名称,如 AZURE-CREDENTIALS-FOR-SPRINGInput the secret name, such as AZURE-CREDENTIALS-FOR-SPRING. 将 JSON 凭据字符串粘贴到“值”输入框。Paste the JSON credential string to the Value input box. 你可能会注意到,值输入框是单行文本字段,而不是多行文本区域。You may notice the value input box is a one-line text field, rather than a multi-line text area. 可以在其中粘贴完整的 JSON 字符串。You can paste the complete JSON string there.

完整作用域凭据

合并 GitHub Actions 中的凭据Combine credentials in GitHub Actions

设置 CICD 管道执行时使用的凭据:Set the credentials used when the CICD pipeline executes:

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: azure/login@v1
      with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}           # Strong box key you generated in the first step
    - uses: Azure/get-keyvault-secrets@v1.0
      with:
        keyvault: "<Your Key Vault Name>"
        secrets: "AZURE-CREDENTIALS-FOR-SPRING"           # Master key to open all doors in the building
      id: keyvaultaction
    - uses: azure/login@v1
      with:
        creds: ${{ steps.keyvaultaction.outputs.AZURE-CREDENTIALS-FOR-SPRING }}
    - name: Azure CLI script
      uses: azure/CLI@v1
      with:
        azcliversion: 2.0.75
        inlineScript: |
          az extension add --name spring-cloud             # Spring CLI commands from here
          az spring-cloud list

后续步骤Next steps