从Service Fabric访问Azure Key Vault中的机密

1）Azure配置（VM规模集+Key Vault）：

Login-AzureRmAccount # Login into Azure account

$targetRg = "testfabric-rg" # Target resource group name
$targetVmss = "jxewcyinq" # Target virtual machine scale set name
$targetKeyVault = "az-ure-two20190115153549" # Target Key Vault name

# 1. Enable Managed Identity for target Virtual Machine Scale Set
Update-AzureRmVmss `
    -ResourceGroupName $targetRg `
    -VMScaleSetName $targetVmss `
    -IdentityType SystemAssigned
# 2. Retrieve virtual machine scale set
$vmss = Get-AzureRmVmss `
    -ResourceGroupName $targetRg `
    -Name $targetVmss
# 3. Create new Key vault access policy allowing Virtual Machine Scale Set to read secrets by their IDs
Set-AzureRmKeyVaultAccessPolicy `
    -VaultName $targetKeyVault `
    -ObjectId $vmss.Identity.PrincipalId `
    -PermissionsToSecrets Get # set only necessary permissions!

2) 在使用C#时获取密钥保管库秘密:

// https://www.nuget.org/packages/Microsoft.Azure.KeyVault/
using Microsoft.Azure.KeyVault;
// https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication
using Microsoft.Azure.Services.AppAuthentication;

public async Task<string> GetSecretById(string id)
{
    // URL of the target Key Vault
    var keyVaultUrl = "https://az-ure-two20190115153549.vault.azure.net";

    var azureServiceTokenProvider = new AzureServiceTokenProvider();

    var keyVaultClient = new KeyVaultClient(
        new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

    var secret = await keyVaultClient.GetSecretAsync($"{keyVaultUrl}/secrets/{id}");

    return secret.Value;
}