pdm vault 使用_如何使用Key Vault连接器更好地保护Logic Apps中的秘密

pdm vault 使用

One of the key challenges that users face while using Logic Apps is managing secret values. This used to be handled by passing the secrets through ARM templates, which is not an out of the box solution.

用户使用Logic Apps时面临的主要挑战之一是管理秘密价值。过去，这是通过将机密传递到ARM模板来解决的，这不是一个即用的解决方案。

Before the availability of the Key Vault connector in Logic Apps, one of the ideal workarounds was using an HTTP action available in logic apps and leveraging the Managed Identity authentication mode. Even this workaround has a few considerations as follows:

在Logic Apps中使用Key Vault连接器之前，一种理想的解决方法是使用逻辑应用程序中可用的HTTP操作并利用Managed Identity身份验证模式。即使此解决方法也有一些注意事项，如下所示：

Logic App run history contains the secret values which cannot be hiddenLogic App运行历史记录包含无法隐藏的秘密值
Currently, we can only have 10 logic apps that have system-assigned managed identities目前，我们只能有10个具有系统分配的托管身份的逻辑应用

Let us explore how to better protect your secrets in your Logic Apps using the new Key Vault connector. Also, I will show you how the above issue can be addressed with the Key vault Connector.

让我们探讨如何使用新的Key Vault连接器更好地保护Logic Apps中的秘密。另外，我将向您展示如何使用Key Vault连接器解决上述问题。

设计示例逻辑应用 (Design your sample Logic App)

Follow the steps below to create your sample logic app in the designer page.

请按照以下步骤在设计器页面中创建示例逻辑应用程序。

Add an “Http request” trigger to the logic app. Later we will call this logic app via a rest client.将“ Http请求”触发器添加到逻辑应用程序。稍后，我们将通过其他客户端调用此逻辑应用程序。

2. Then, search for the key vault actions and add the “Get Secret” action to the logic app. Now, you have a couple of options here to authenticate: either you can use Azure AD or Service Principal. In this example, I am going ahead with Azure AD service.

2.然后，搜索关键保管库操作，然后将“获取机密”操作添加到逻辑应用程序。现在，你有几个选择这里进行验证：要么你可以使用Azure的AD或服务普林西普 人。在此示例中，我将继续使用Azure AD服务。

3. Sign-in with your account. This account should have enough permission to access your Key Vault. Otherwise you should manually provide access through Access policies.

3.使用您的帐户登录。此帐户应具有足够的权限来访问您的Key Vault。否则，您应该通过访问策略手动提供访问。

4. Fill in the required field with the “<secret name>”. If you don’t already have one in place, then you can create one by heading to the Key Vault menu. There you can find the “secrets” option in the left pane.

4.在“必填字段”中填写“ <秘密名称>”。如果您还没有一个，则可以转到Key Vault菜单来创建一个。您可以在左窗格中找到“秘密”选项。

Note: If you are provisioning the Key Vault itself for the first time, then remember: sometimes you may need to register the Key Vault service to your Subscription manually. (I encountered this issue when I did it for the first time).

注意：如果您是第一次自动配置Key Vault，请记住：有时您可能需要手动将Key Vault服务注册到您的订阅中。 (我第一次做时遇到了这个问题)。

5. Now, add the “Http response” action to the logic app. Fill in the following fields as below:Status Code: 200Body: <add the dynamic expression: The Secret>

5.现在，将“ Http response”操作添加到逻辑应用程序。如下填写以下字段： 状态代码 ：200 正文：<添加动态表达式：The Secret>

6. Save the Logic App.

6.保存Logic App。

测试逻辑应用 (Testing the Logic App)

Now, copy the HTTP post URL from the Logic App trigger and head to reqbin (online REST client). Paste the URL in the address field and change the default method from GET to POST and click Send.

现在，从Logic App触发器复制HTTP发布URL，然后转到reqbin (在线REST客户端)。将URL粘贴在地址字段中，并将默认方法从GET更改为POST ，然后单击Send。

The logic app would have gotten triggered and sent back the response code 200 along with the secret value as shown in the picture below.

逻辑应用将被触发并发送响应代码200和秘密值，如下图所示。

检查运行历史 (Inspecting the Run History)

On inspecting the run history of the logic app, we notice that the secret values are visible in plain text.

在检查逻辑应用程序的运行历史记录时，我们注意到秘密值在纯文本中可见。

Do you remember the same problem we encountered in the classic method? As I have already said this can be easily addressed through the Key Vault connector settings by following the below steps:

您还记得经典方法中遇到的相同问题吗？正如我已经说过的那样，可以通过以下步骤通过Key Vault连接器设置轻松解决此问题：

Head back to the designer and click on the settings option under the “more options” menu in the Key Vault connector.返回设计器，然后单击Key Vault连接器中“更多选项”菜单下的设置选项。

2. Now, in the settings for “Get Secret” action, enable the Secure Inputs and Outputs option and click Done.

2.现在，在“获取机密”操作的设置中，启用“安全输入和输出”选项，然后单击“完成”。

3. Once again save the logic app and call it through the rest client (reqbin.com). You will get the same response in the Request Bin, but the run history doesn’t contain the secret values in the plain text format. Rather it shows as “Content not shown due to security configuration”.

3.再次保存逻辑应用程序，然后通过其余客户端(reqbin.com)对其进行调用。您将在“请求bin”中获得相同的响应，但是运行历史记录不包含纯文本格式的秘密值。而是显示为“由于安全配置而未显示内容”。

We have now addressed the first concern in the classic method. The second concern was that we can only have 10 logic apps that have system-assigned managed identities.

现在，我们已经解决了经典方法中的第一个问题。第二个问题是我们只能有10个具有系统分配的管理身份的逻辑应用程序。

We have also overcome this issue by not using the Managed Identity mode of authentication in the connector. Rather it authenticates through Azure Active Directory or Service Principal (which has a downside of rotating secrets, though).

我们还通过不使用连接器中的身份验证的托管身份模式来解决此问题。而是通过Azure Active Directory或服务主体进行身份验证(不过，它还有旋转机密的缺点)。

Once the user gets enough permissions to the Key vault through Access Policy they will be able to access the Key Vault in any number of Logic Apps.

一旦用户通过访问策略获得了对密钥库的足够权限，他们将能够在任意数量的Logic Apps中访问密钥库。

扩展功能集 (Expanded Feature Set)

While digging more into the Logic Apps Key Vault actions, I found some more interesting use cases that can be achieved through Encryption and Decryption actions.

在深入研究Logic Apps Key Vault操作时，我发现了一些更有趣的用例，可以通过加密和解密操作来实现。

If the user is more concerned about their data, then they can use the Encryption and Decryption action to keep the values more secure.

如果用户更关心自己的数据，则可以使用“加密和解密”操作来使值更安全。

To do this, create an encryption key in the Key Vault.

为此，请在Key Vault中创建一个加密密钥。

Using the Encrypt and Decrypt actions in the Key vault connectors you can encrypt the data and decrypt it again. As seen above, we can even enable the Secure Inputs and Outputs option in the settings to make it more securable.

使用密钥库连接器中的“加密”和“解密”操作，可以加密数据并再次解密。如上所示，我们甚至可以在设置中启用“安全输入和输出”选项，以使其更加安全。

使用Serverless360管理和监视逻辑应用程序 (Manage and Monitor Logic Apps using Serverless360)

Serverless360 is one platform to manage and monitor all your Azure Serverless resources with focus to help your operations and support your team on a day to day basis.

Serverless360是用于管理和监视所有Azure无服务器资源的平台，其重点是帮助您的日常运营并为您的团队提供支持。

Consider the above workflow of a business application defined using multiple Azure Logic Apps.

考虑使用多个Azure Logic应用程序定义的业务应用程序的上述工作流。

Different stakeholders of the business application will have different needs as they manage and monitor the Azure Logic Apps.

业务应用程序的不同利益相关者在管理和监视Azure Logic应用程序时将有不同的需求。

Some key requirements which are hard to achieve through the Azure portal are:

通过Azure门户很难实现的一些关键要求是：

auto-correcting the Logic App state when found to be not as expected发现与预期不符时自动更正Logic App状态
instant reflection of the warning and error state of the Logic App in a service map view在服务映射视图中即时反映Logic App的警告和错误状态
near real time detection of failure几乎实时的故障检测
automation in re-submission of specific failed run actions重新提交特定失败运行操作的自动化
end to end tracking on the message flowing through the Logic Apps, and 端到端跟踪流经Logic Apps的消息，以及
evaluation on the consumption, performance and reliability. 评估消耗，性能和可靠性。

These requirements cannot be achieved directly through the Azure portal. But Serverless360 can come in as a complement to the Azure portal, as it is crafted with capabilities to address the gaps in the Azure portal.

这些要求不能直接通过Azure门户来实现。但是Serverless360可以作为Azure门户的补充，因为它具有弥补Azure门户差距的功能。

结语 (Wrap-up)

In this blog, we have seen the classic and latest methods of protecting your secrets in Logic Apps. Also, I hope this blog has given you a clearer understanding of the Key Vault connector that is now currently available.

在此博客中，我们了解了在Logic Apps中保护您的机密的经典和最新方法。另外，我希望该博客使您对当前可用的Key Vault连接器有更清晰的了解。

Lastly, I have covered the extended feature sets of the Logic Apps Key Vault connector, Encryption and Decryption actions.

最后，我介绍了Logic Apps Key Vault连接器的扩展功能集，加密和解密操作。

I hope you enjoyed reading this article. Happy Learning!

希望您喜欢阅读本文。学习愉快！

翻译自: https://www.freecodecamp.org/news/how-to-better-protect-your-secrets-in-logic-apps-using-key-vault-connector/

pdm vault 使用