public async Task TokenCacheRefresh()
{
// ensure expired tokens are refreshed
var expired = new ManagedIdentityCredential()
{
Client = MockIdentityClient.ExpiredTokenClient
};
HashSet <string> tokens = new HashSet <string>();
for (int i = 0; i < 100; i++)
{
Assert.IsTrue(tokens.Add(await expired.GetTokenAsync(MockScopes.Default)), "token failed to refresh");
}
// ensure non expired tokens are not refeshed
var live = new ManagedIdentityCredential()
{
Client = MockIdentityClient.LiveTokenClient
};
tokens.Clear();
tokens.Add(await live.GetTokenAsync(MockScopes.Default));
for (int i = 0; i < 100; i++)
{
Assert.IsFalse(tokens.Add(await live.GetTokenAsync(MockScopes.Default)));
}
}
public async Task VerifyAppService2019RequestWithClientIdMockAsync()
{
using (new TestEnvVar("IDENTITY_ENDPOINT", "https://identity.endpoint/"))
using (new TestEnvVar("IDENTITY_HEADER", "mock-identity-header"))
{
var expectedToken = "mock-access-token";
var response = new MockResponse(200);
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": \"3600\" }}");
var mockTransport = new MockTransport(response);
var options = new TokenCredentialOptions {
Transport = mockTransport
};
ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential("mock-client-id", options));
AccessToken actualToken = await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.SingleRequest;
Assert.IsTrue(request.Uri.ToString().StartsWith(EnvironmentVariables.IdentityEndpoint));
string query = request.Uri.Query;
Assert.IsTrue(query.Contains("api-version=2019-08-01"));
Assert.IsTrue(query.Contains("client_id=mock-client-id"));
Assert.IsTrue(query.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(request.Headers.TryGetValue("X-IDENTITY-HEADER", out string identityHeader));
Assert.AreEqual(EnvironmentVariables.IdentityHeader, identityHeader);
}
}
public async Task VerifyMSIRequest()
{
var pingResponse = new MockResponse(400);
var response = new MockResponse(200);
var expectedToken = "mock-msi-access-token";
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": 3600 }}");
var mockTransport = new MockTransport(pingResponse, response);
var options = new IdentityClientOptions()
{
Transport = mockTransport
};
var credential = new ManagedIdentityCredential(options: options);
AccessToken actualToken = await credential.GetTokenAsync(MockScopes.Default);
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.Requests[1];
string query = request.UriBuilder.Query;
Assert.IsTrue(query.Contains("api-version=2018-02-01"));
Assert.IsTrue(query.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(request.Headers.TryGetValue("Metadata", out string metadataValue));
Assert.AreEqual("true", metadataValue);
}
private async Task <string> GetAccessTokenAsync(CancellationToken cancellationToken)
{
if (!_cacheTokens)
{
return((await GetAccessTokenFromProviderAsync(cancellationToken)).Token);
}
await _semaphoreToken.WaitAsync(cancellationToken);
try
{
//If the Token has more than 5 minutes Validity
if (DateTime.UtcNow.AddMinutes(_cacheLifeTime) <= _token.ExpiresOn.UtcDateTime)
{
return(_token.Token);
}
var credential = new ManagedIdentityCredential();
var token = await GetAccessTokenFromProviderAsync(cancellationToken);
_token = token;
return(token.Token);
}
finally
{
_semaphoreToken.Release();
}
}
public void Run([EventGridTrigger] EventGridEvent eventGridEvent, ILogger log)
{
log.LogInformation(eventGridEvent.Data.ToString());
if (adtInstanceUrl == null)
{
log.LogError("Application setting \"ADT_SERVICE_URL\" not set");
}
try
{
// Authenticate with Digital Twins
// <ManagedIdentityCredential>
var cred = new ManagedIdentityCredential("https://digitaltwins.azure.net");
// </ManagedIdentityCredential>
// <DigitalTwinsClient>
var client = new DigitalTwinsClient(
new Uri(adtInstanceUrl),
cred,
new DigitalTwinsClientOptions
{
Transport = new HttpClientTransport(singletonHttpClientInstance)
});
// </DigitalTwinsClient>
log.LogInformation($"ADT service client connection created.");
/*
* Add your business logic here.
*/
}
catch (Exception e)
{
log.LogError(e.Message);
}
}
/// <summary>
/// Add Azure App Config
///
/// You must have a secrets.json defined!
///
/// Some Helpful Links:
/// Add a Key Vault Reference to App Configuration - https://docs.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core?tabs=cmd%2Ccore2x#add-a-key-vault-reference-to-app-configuration
/// App Config Best Practices - https://docs.microsoft.com/en-us/azure/azure-app-configuration/howto-best-practices
/// Feature Flags - https://docs.microsoft.com/en-us/azure/azure-app-configuration/concept-feature-management
/// Feature Flogs How To - https://docs.microsoft.com/en-us/azure/azure-app-configuration/howto-feature-filters-aspnet-core
/// Assign a Azure Config Access Policy - https://docs.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity?tabs=core2x
/// Using DefaultAzureCredentialOptions - https://www.rahulpnath.com/blog/defaultazurecredential_from_azure_sdk/?utm_source=site-bookmark
/// </summary>
/// <param name="debug">Check if debug for local settings vs. production</param>
/// <param name="builder">The configuration builder object</param>
/// <param name="initialConfig">The initial config that holds the app config objects</param>
private static void AddAzureAppConfig(bool debug, ConfigurationBuilder builder, IConfigurationRoot initialConfig)
{
// You can call these variables anything you like, this is just what I defaulted them to
// Please note that when you define a key in Azure App config it should be done with the following structure
// Example: AppConfig:Database:ConnectionString
// If you structure it like so it will automatically map to the AppConfig.cs object. For this example it would map to AppConfig.Database.ConnectionString.
try
{
Action <AzureAppConfigurationOptions> azureAppConfigOptions;
if (debug)
{
// There are two different ways to connect into this in development mode.
// The first is through the TenantID, AppId and AppSecret as shown below
azureAppConfigOptions = (options =>
{
// If you are using Azure Key Vault, you can connect it into App Config, see **Add a Key Vault Reference to App Configuration**
if (!string.IsNullOrEmpty(initialConfig["TenantId"]) && !string.IsNullOrEmpty(initialConfig["AppId"]) && !string.IsNullOrEmpty(initialConfig["AppSecret"]))
{
options.ConfigureKeyVault(kv => { kv.SetCredential(new ClientSecretCredential(initialConfig["TenantId"], initialConfig["AppId"], initialConfig["AppSecret"])); });
}
options.Connect(initialConfig["AzureAppConfigConnectionString"]);
});
// The other way to do it is through the DefaultAzureCredentials, see **Using DefaultAzureCredentialOptions**
// These default credentials SHOULD default to what you have setup in visual studio, but if they do not you can use the SharedTokenCacheUsername option
// This also assumes the developer has access to both the key vault and app config.
//azureAppConfigOptions = (options =>
//{
// var azureCredentialOptions = new DefaultAzureCredentialOptions
// {
// SharedTokenCacheUsername = "******"
// };
// var credentials = new DefaultAzureCredential(azureCredentialOptions);
// // If you are using Azure Key Vault, you can connect it into App Config, see **Assign a Azure Config Access Policy**
// options.ConfigureKeyVault(kv => { kv.SetCredential(credentials); });
// options.Connect(new Uri(initialConfig["AzureConfigUri"]), credentials);
//});
}
else
{
// This assumes you have setup a service principle to access the App Config on behalf of this app, see **Assign a Key Vault Access Policy** above
azureAppConfigOptions = (options =>
{
var credentials = new ManagedIdentityCredential(initialConfig["AppId"]);
// If you are using Azure Key Vault, you can connect it into App Config, see **Assign a Azure Config Access Policy**
options.ConfigureKeyVault(kv => { kv.SetCredential(credentials); });
options.Connect(new Uri(initialConfig["AzureConfigUri"]), credentials);
});
}
builder.AddAzureAppConfiguration(azureAppConfigOptions);
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
}
private string GetAccessToken()
{
if (!_cacheTokens)
{
return(GetAccessTokenFromProvider().Token);
}
_semaphoreToken.Wait();
try
{
//If the Token has more than 5 minutes Validity
if (DateTime.UtcNow.AddMinutes(_cacheLifeTime) <= _token.ExpiresOn.UtcDateTime)
{
return(_token.Token);
}
var credential = new ManagedIdentityCredential();
var token = GetAccessTokenFromProvider();
_token = token;
return(token.Token);
}
finally
{
_semaphoreToken.Release();
}
}
// List blobs in a container
public List <string> listBlobs(string containerUri, string identity = null, string prefix = null, string exclude = null)
{
var Cred = new ManagedIdentityCredential(identity);
var containerClient = new BlobContainerClient(new Uri(containerUri), Cred);
containerClient.CreateIfNotExists();
try
{
List <string> blobListing = new List <string>();
if (exclude != null)
{ // apply --exclude regular expression
var rx = new Regex(exclude);
blobListing = containerClient.GetBlobs(prefix: prefix).Select(i => rx.IsMatch(i.Name) ? null : i.Name).ToList();
while (blobListing.Remove(null))
{
}
;
}
else
{ // return full list
blobListing = containerClient.GetBlobs(prefix: prefix).Select(i => i.Name).ToList();
}
return(blobListing.Count == 0 ? null : blobListing);
}
catch (Exception ex)
{
throw IdentityError(identity, ex);
}
}
// Get MSI access token
public string getToken(string endpoint = "management", string identity = null, bool JWTformat = false)
{
var Cred = new ManagedIdentityCredential(identity);
if (string.IsNullOrEmpty(endpoint))
{
endpoint = "management";
}
;
var Scope = new String[] { $"https://{endpoint}.azure.com" };
var Request = new TokenRequestContext(Scope);
try
{
var Token = Cred.GetToken(Request);
if (JWTformat)
{
var stream = Token.Token;
var handler = new JwtSecurityTokenHandler();
var jsonToken = handler.ReadToken(stream);
var tokenS = handler.ReadToken(stream) as JwtSecurityToken;
return(tokenS.ToString()); // decoded JSON Web Token
}
else
{
return(Token.Token); // encoded JWT token
}
} catch (Exception ex)
{
throw IdentityError(identity, ex);
}
}
//
// execute GetSecret
//
public string Execute(string secretIdentifierUrl, string filePath = null, string identity = null)
{
(Uri keyVaultUri, string secretName, string secretVersion) = ValidateAndParseSecretURL(secretIdentifierUrl);
var MIcredential = new ManagedIdentityCredential(identity);
var secretClient = new SecretClient(keyVaultUri, MIcredential);
// Retrieve a secret
try
{
KeyVaultSecret secret = secretClient.GetSecret(secretName, secretVersion);
string secretValue = secret.Value;
if (String.IsNullOrEmpty(filePath))
{ // print to stdout
return(secretValue);
}
else
{ // creates or overwrites file and saves secret into it
File.WriteAllText(filePath, secretValue);
return("Saved");
}
} catch (Exception ex)
{
throw AzmiException.IDCheck(identity, ex);
}
}
public async Task <string> GetAsync(string key)
{
TokenCredential tokenCredential;
if (_azureKeyVaultConfigurationSettings.UseManagedIdentity)
{
tokenCredential = new ManagedIdentityCredential();
}
else
{
tokenCredential = new ClientSecretCredential(
_azureKeyVaultConfigurationSettings.TenantId,
_azureKeyVaultConfigurationSettings.ClientId,
_azureKeyVaultConfigurationSettings.ClientSecret);
}
var client = new SecretClient(new Uri(_azureKeyVaultConfigurationSettings.VaultUri), tokenCredential);
//Key not found in local dictionary. Get it from Azure Key Vault and put it in local secrets store for later use
var secret = await client.GetSecretAsync(key);
if (secret == null || secret.Value == null || secret.Value.Value == null)
{
throw new ArgumentException($"The key {key} was not found in Azure Key Vault.");
}
return(secret.Value.Value);
}
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
{
var settings = config.Build();
#if DEBUG
config.AddAzureAppConfiguration(options =>
{
options.Connect(settings["ConnectionStrings:AppConfig"])
.ConfigureKeyVault(kv =>
{
kv.SetCredential(new DefaultAzureCredential());
});
});
#else
var credentials = new ManagedIdentityCredential();
config.AddAzureAppConfiguration(options =>
{
options.Connect(new Uri(settings["AppConfig:Endpoint"]), credentials)
.ConfigureKeyVault(kv =>
{
kv.SetCredential(credentials);
});
});
#endif
})
.UseStartup <Startup>());
public void VerifyImdsUnavailableImmediateFailureMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", null))
using (new TestEnvVar("MSI_SECRET", null))
{
var mockTransport = new MockTransport(request => throw new Exception("mock imds probe exception"));
var options = new TokenCredentialOptions()
{
Transport = mockTransport
};
ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential("mock-client-id", options));
Assert.ThrowsAsync <CredentialUnavailableException>(async() => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
MockRequest request = mockTransport.Requests[0];
string query = request.Uri.Query;
Assert.IsTrue(query.Contains("api-version=2018-02-01"));
Assert.False(request.Headers.TryGetValue("Metadata", out string _));
}
}
/// <summary>
/// Create the ServiceClientCredentials object based on the credentials
/// supplied in local configuration file, or with a system managed identity.
/// </summary>
/// <param name="config">The param is of type ConfigWrapper. This class reads values from local configuration file.</param>
/// <returns></returns>
private static async Task <ServiceClientCredentials> GetCredentialsAsync(ConfigWrapper config)
{
var scopes = new[] { config.ArmAadAudience + "/.default" };
string token;
if (config.AadClientId != null) // Service Principal
{
var app = ConfidentialClientApplicationBuilder.Create(config.AadClientId)
.WithClientSecret(config.AadSecret)
.WithAuthority(AzureCloudInstance.AzurePublic, config.AadTenantId)
.Build();
var authResult = await app.AcquireTokenForClient(scopes)
.ExecuteAsync()
.ConfigureAwait(false);
token = authResult.AccessToken;
}
else // managed identity
{
var credential = new ManagedIdentityCredential();
var accessTokenRequest = await credential.GetTokenAsync(
new TokenRequestContext(
scopes : scopes
)
);
token = accessTokenRequest.Token;
}
return(new TokenCredentials(token, TokenType));
}
//
//
// **** Cmdlet start ****
//
//
protected override void ProcessRecord()
{
var cred = new ManagedIdentityCredential(Identity);
WriteVerbose($"Parsing secret... '{Secret}'");
//(Uri keyVault, string secretName, string secretVersion) = ParseSecret(secrets);
(Uri keyVault, string secretName, string secretVersion) = Shared.ParseUrl(Secret, "secrets");
WriteVerbose($"Obtaining KV client for '{keyVault}' using '{Identity}'...");
var secretClient = new SecretClient(keyVault, cred);
WriteVerbose($"Obtaining secret {secretName}...");
var secretValue = secretClient.GetSecret(secretName, secretVersion).Value.Value;
// return value
if (String.IsNullOrEmpty(File))
{
WriteObject(secretValue);
}
else
{
WriteVerbose($"Saving secret to file {File}...");
System.IO.File.WriteAllText(File, secretValue);
// TODO: Add test for file in current dir
// TODO: Candidate for async
}
}
public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
string name = req.Query["name"];
//var credential = new ClientSecretCredential("231dd9cd-ddc7-4fba-ae78-9f4ac3c912e7", "5f43fe5c-1c2b-4afa-97e6-fda41302e28b", "5ZlLakKHA:DE.6Jq-GbJWF=icJaCwW32");
var credential = new ManagedIdentityCredential();
var kvUri = "https://kvswapana.vault.azure.net/";
var secretClient = new SecretClient(new Uri(kvUri), credential);
var encryptedDEK = secretClient.GetSecret("DEK");
var keyClient = new KeyClient(new Uri(kvUri), credential);
var encryptedKEY = keyClient.GetKey("KEK");
var cryptoClient = new CryptographyClient(encryptedKEY.Value.Id, credential);
DecryptResult decryptDek = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, Convert.FromBase64String(encryptedDEK.Value.Value));
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
dynamic data = JsonConvert.DeserializeObject(requestBody);
name = name ?? data?.name;
return(name != null
// Create MemoryStream
? (ActionResult) new OkObjectResult($"Hello, {name}, {encryptedKEY.Value.Id}, {Encoding.UTF8.GetString(decryptDek.Plaintext)}")
: new BadRequestObjectResult("Please pass a name on the query string or in the request body"));
}
//
// Execute GetBlob
//
public string Execute(string blobURL, string filePath, string identity = null, bool ifNewer = false, bool deleteAfterCopy = false)
{
// method start
// Connection
var Cred = new ManagedIdentityCredential(identity);
var blobClient = new BlobClient(new Uri(blobURL), Cred);
if (ifNewer && File.Exists(filePath) && !IsNewer(blobClient, filePath))
{
return("Skipped. Blob is not newer than file.");
}
try
{
string absolutePath = Path.GetFullPath(filePath);
string dirName = Path.GetDirectoryName(absolutePath);
Directory.CreateDirectory(dirName);
blobClient.DownloadTo(filePath);
if (deleteAfterCopy)
{
blobClient.Delete();
}
return("Success");
} catch (Azure.RequestFailedException)
{
throw;
} catch (Exception ex)
{
throw AzmiException.IDCheck(identity, ex);
}
}
public async Task ValidateUserAssignedIdentity()
{
if (string.IsNullOrEmpty(TestEnvironment.SFEnable) || string.IsNullOrEmpty(TestEnvironment.UserAssignedVault))
{
Assert.Ignore();
}
using (ReadOrRestoreManagedIdentityEnvironment())
{
var vaultUri = new Uri(TestEnvironment.UserAssignedVault);
var clientId = TestEnvironment.IMDSClientId;
CredentialPipeline pipeline = CredentialPipeline.GetInstance(InstrumentClientOptions(new TokenCredentialOptions {
Transport = ServiceFabricManagedIdentitySource.GetServiceFabricMITransport()
}));
var cred = new ManagedIdentityCredential(new ManagedIdentityClient(new ManagedIdentityClientOptions {
Pipeline = pipeline, ClientId = clientId, PreserveTransport = true
}));
// Hard code service version or recorded tests will fail: https://github.com/Azure/azure-sdk-for-net/issues/10432
var kvoptions = InstrumentClientOptions(new SecretClientOptions(SecretClientOptions.ServiceVersion.V7_0));
var kvclient = InstrumentClient(new SecretClient(vaultUri, cred, kvoptions));
KeyVaultSecret secret = await kvclient.SetSecretAsync("identitytestsecret", "value");
Assert.IsNotNull(secret);
}
}
private void InitializeAzureKeyVaultProvider()
{
// Initialize the Azure Key Vault provider
TokenCredential tokenCredential = null;
SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(Configuration.GetConnectionString("ContosoHRDatabase"));
if (builder.Authentication == SqlAuthenticationMethod.ActiveDirectoryManagedIdentity)
{
tokenCredential = new ManagedIdentityCredential();
}
else
{
var clientId = "...";
var secret = "...";
var tenantId = "...";
tokenCredential = new ClientSecretCredential(tenantId, clientId, secret);
}
SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider =
new SqlColumnEncryptionAzureKeyVaultProvider(tokenCredential);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(
customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase)
{
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider }
}
);
}
public void VerifyImdsAvailableUserCanceledMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", null))
using (new TestEnvVar("MSI_SECRET", null))
{
var mockTransport = new MockTransport();
var options = new TokenCredentialOptions()
{
Transport = mockTransport
};
CancellationTokenSource cancellationSource = new CancellationTokenSource();
cancellationSource.Cancel();
var pipeline = CredentialPipeline.GetInstance(options);
ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential(pipeline, new MockManagedIdentityClient(pipeline, "mock-client-id")
{
ImdsAvailableFunc = ct => { ct.ThrowIfCancellationRequested(); return(true); }
}));
Assert.CatchAsync <OperationCanceledException>(async() => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default), cancellationSource.Token));
}
}
private async Task CreateDatalakeStorageAsync(IStorageAccount accountCreated, string fileSystemName, string defaultFolderName, string identityToGiveAccess)
{
this.logger.LogTrace($"Creating ADLS Gen2 File System {fileSystemName} in account {accountCreated.Name}...");
// Create the basic parameters and the ADLS client proxy
var creds = default(Azure.Core.TokenCredential);
var adlsUri = $"https://{accountCreated.Name}.dfs.core.windows.net";
if (base.CredentialsUseSp)
{
creds = new ClientSecretCredential(base.TenantId, base.ClientId, base.ClientSecret);
}
else
{
creds = new ManagedIdentityCredential();
}
var adlsClient = new DataLakeServiceClient(new Uri(adlsUri), creds);
// Create the file system with retry logic, should work on first attempt.
await RetryActionAsync(async() => {
this.logger.LogTrace("- Attempt to create file system...");
var adlsFsClient = await adlsClient.CreateFileSystemAsync(fileSystemName);
this.logger.LogTrace("- Attempt succeeded!");
});
// Creating the folder did require serveral retries until permissions propagated, correctly.
await RetryActionAsync(async() => {
this.logger.LogTrace("- Attempt to create folder.");
var adlsFsClient = adlsClient.GetFileSystemClient(fileSystemName);
await adlsFsClient.CreateDirectoryAsync(defaultFolderName);
this.logger.LogTrace("- Attempt succeeded!");
});
this.logger.LogTrace($"ADLS File System {fileSystemName} created!");
}
private static BlobClient GetBlobClient(ILogger log,
string mode,
string miClientID,
string storageEndPoint,
string clientId,
string clientSecret,
string tennat,
string blobContainerName,
string blobName)
{
log.LogInformation($"will access using {mode}");
Azure.Identity.TokenCredentialOptions options = default;
ClientSecretCredential spnToken = new ClientSecretCredential(tennat, clientId, clientSecret);
ManagedIdentityCredential token = new ManagedIdentityCredential(miClientID, options);
string saConnectionString = "";
// note, that in a real impl, only one type should be used
if (mode.Equals("spn"))
{
var client = new SecretClient(new Uri("https://gensaskv.vault.azure.net/"), spnToken);
saConnectionString = client.GetSecret("sa-cs").Value.Value;
}
else
{
var client = new SecretClient(new Uri("https://gensaskv.vault.azure.net/"), token);
saConnectionString = client.GetSecret("sa-cs").Value.Value;
}
BlobClient blobClient = new BlobClient(saConnectionString, blobContainerName, blobName);
log.LogInformation($"got blob client via token, blobClient.CanGenerateSasUri ? {blobClient.CanGenerateSasUri}");
return(blobClient);
}
public static async Task <IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
ILogger log)
{
var managedIdentityClientId = Environment.GetEnvironmentVariable("MANAGED_IDENTITY_CLIENT_ID");
var configurationEndpoint = Environment.GetEnvironmentVariable("CONFIGURATION_ENDPOINT");
var managedIdentityCredential = new ManagedIdentityCredential(managedIdentityClientId);
var configurationEndpointUri = new Uri(configurationEndpoint);
IConfigurationBuilder configurationBuilder = new ConfigurationBuilder();
configurationBuilder.AddAzureAppConfiguration(options => {
options.Connect(configurationEndpointUri, managedIdentityCredential);
options.ConfigureKeyVault(opt => {
opt.SetCredential(managedIdentityCredential);
});
});
var name = configurationBuilder.Build() ["tst"];
log.LogInformation("C# HTTP trigger function processed a request.");
return(name != null ?
(ActionResult) new OkObjectResult($"Hello, {name}") :
new BadRequestObjectResult("Please pass a name on the query string or in the request body"));
}
public async Task <string> GetSecretAsApplicationUsingUserManagedIdentityAsync()
{
logger.LogInformation("----- User Assigned Managed Identity");
SecretClientOptions options = KeyVaultUtility.CreateSecretClientOptions();
var credentials = new ManagedIdentityCredential(keyVaultConfiguration.UserAssignedManagedIdentityClientId);
var keyVault = keyVaultConfiguration.Url;
var client = new SecretClient(new Uri(keyVault), credentials, options);
KeyVaultSecret secret = null;
try
{
secret = await client.GetSecretAsync(keyVaultConfiguration.SecretName);
return(secret.Value);
}
catch (Exception ex)
{
logger.LogError(ex, "Failed to get secret as managed identity");
throw;
}
}
// Initialize the Azure Key Vault provider for Always Encrypted. Required if column master keys are stored in Azure Key Vault.
private void InitializeAzureKeyVaultProvider()
{
TokenCredential tokenCredential = null;
SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(Configuration.GetConnectionString("ContosoHRDatabase"));
if (builder.Authentication == SqlAuthenticationMethod.ActiveDirectoryManagedIdentity)
{
// If the application uses a managed identity to talk to Azure SQL Database, use the managed identity for Azure Key Vault too.
tokenCredential = new ManagedIdentityCredential();
}
else
{
// Assume a managed identity is not available to the app. Instead, use a client id/secret to authenticate to Azure Key Vault.
// Fetch client id, secret, tenant id from the configuration.
// It is recommended you specify these parameters in secrets.json.
// See https://docs.microsoft.com/aspnet/core/security/app-secrets?view=aspnetcore-5.0&tabs=windows on how store secrets in secrets.json.
var clientId = Configuration["ClientId"];
var secret = Configuration["Secret"];
var tenantId = Configuration["TenantId"];
tokenCredential = new ClientSecretCredential(tenantId, clientId, secret);
}
SqlColumnEncryptionAzureKeyVaultProvider sqlColumnEncryptionAzureKeyVaultProvider =
new SqlColumnEncryptionAzureKeyVaultProvider(tokenCredential);
SqlConnection.RegisterColumnEncryptionKeyStoreProviders(
customProviders: new Dictionary <string, SqlColumnEncryptionKeyStoreProvider>(capacity: 1, comparer: StringComparer.OrdinalIgnoreCase)
{
{ SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider }
}
);
}
private void ProcessMulti()
{
WriteVerbose("Starting to process a container");
// Connection
var cred = new ManagedIdentityCredential(Identity);
var containerClient = new BlobContainerClient(new Uri(Container), cred);
// fix path
Directory ??= Container.Split('/').Last();
Directory = Path.GetFullPath(Directory, SessionState.Path.CurrentLocation.Path);
WriteVerbose($"Using source: '{Directory}'");
// get list of files
WriteVerbose("Obtaining list of files...");
var fileList = System.IO.Directory.EnumerateFiles(Directory, "*", SearchOption.AllDirectories);
WriteVerbose($"Obtained {fileList.Count()} files");
// apply -Exclude regular expression
if (!String.IsNullOrEmpty(Exclude))
{
WriteVerbose("Filtering list of files...");
Regex excludeRegEx = new Regex(Exclude);
fileList = fileList.Where(file => !excludeRegEx.IsMatch(file));
WriteVerbose($"Filtered to {fileList.Count()} files");
}
Parallel.ForEach(fileList, file =>
{
var blobPath = file.Substring(Directory.Length).TrimStart(Path.DirectorySeparatorChar);
BlobClient blobClient = containerClient.GetBlobClient(blobPath);
blobClient.Upload(file, Force);
});
WriteVerbose("Upload completed");
}
private void ProcessSingle()
{
WriteVerbose("Starting to process a single blob");
// Connection
var cred = new ManagedIdentityCredential(Identity);
var blobClient = new BlobClient(new Uri(Blob), cred);
if (String.IsNullOrEmpty(Content))
{
// Fix path
File ??= Blob.Split('/').Last();
File = Path.GetFullPath(File, SessionState.Path.CurrentLocation.Path);
WriteVerbose($"Using source: '{File}'");
}
else
{
// create temporary file and fill content
File = Path.GetTempFileName();
System.IO.File.WriteAllText(File, Content);
WriteVerbose($"Using temporary file: '{File}'");
}
// Download
blobClient.Upload(File, Force);
WriteVerbose("Upload completed");
if (!String.IsNullOrEmpty(Content))
{
System.IO.File.Delete(File);
WriteVerbose($"Deleted temporary file: '{File}'");
}
}
public async void Run([EventGridTrigger] EventGridEvent eventGridEvent, ILogger log)
{
// After this is deployed, you need to turn the Managed Identity Status to "On",
// Grab Object Id of the function and assigned "Azure Digital Twins Owner (Preview)" role to this function identity
// in order for this function to be authorized on ADT APIs.
log.LogInformation(eventGridEvent.Data.ToString());
try
{
// Authenticate on ADT APIs
var cred = new ManagedIdentityCredential(adtAppId);
var client = new DigitalTwinsClient(new Uri(adtInstanceUrl), cred, new DigitalTwinsClientOptions {
Transport = new HttpClientTransport(httpClient)
});
log.LogInformation($"ADT service client connection created.");
if (client != null)
{
if (eventGridEvent != null && eventGridEvent.Data != null)
{
#region Open this region for message format information
// Telemetry message format
//{
// "properties": { },
// "systemProperties":
// {
// "iothub-connection-device-id": "thermostat1",
// "iothub-connection-auth-method": "{\"scope\":\"device\",\"type\":\"sas\",\"issuer\":\"iothub\",\"acceptingIpFilterRule\":null}",
// "iothub-connection-auth-generation-id": "637199981642612179",
// "iothub-enqueuedtime": "2020-03-18T18:35:08.269Z",
// "iothub-message-source": "Telemetry"
// },
// "body": "eyJUZW1wZXJhdHVyZSI6NzAuOTI3MjM0MDg3MTA1NDg5fQ=="
//}
#endregion
// Reading deviceId from message headers
log.LogInformation(eventGridEvent.Data.ToString());
JObject job = (JObject)JsonConvert.DeserializeObject(eventGridEvent.Data.ToString());
string deviceId = (string)job["systemProperties"]["iothub-connection-device-id"];
log.LogInformation($"Found device: {deviceId}");
// Extracting temperature from device telemetry
byte[] body = Convert.FromBase64String(job["body"].ToString());
var value = Encoding.ASCII.GetString(body);
var bodyProperty = (JObject)JsonConvert.DeserializeObject(value);
JToken temperature = bodyProperty["Temperature"];
log.LogInformation($"Device Temperature is ({temperature.Type}): {temperature}");
// Update device Temperature property
await AdtUtilities.UpdateTwinPropertyAsync(client, deviceId, "/Temperature", temperature.Value <float>(), log);
}
}
}
catch (Exception e)
{
log.LogError($"Error: {e.Message}");
}
}
public static async Task Run(
[EventHubTrigger("deviceevents", Connection = "EVENTHUB_CONNECTIONSTRING")] EventData[] events, ILogger log)
{
// After this is deployed, you need to turn the Managed Identity Status to "On",
// Grab Object Id of the function and assigned "Azure Digital Twins Owner (Preview)" role
// to this function identity in order for this function to be authorized on ADT APIs.
if (adtInstanceUrl == null)
{
log.LogError("Application setting \"ADT_SERVICE_URL\" not set");
}
var exceptions = new List <Exception>();
foreach (EventData eventData in events)
{
try
{
// Get message body
string messageBody = Encoding.UTF8.GetString(eventData.Body.Array, eventData.Body.Offset, eventData.Body.Count);
// Create Digital Twin client
var cred = new ManagedIdentityCredential("https://digitaltwins.azure.net");
var client = new DigitalTwinsClient(new Uri(adtInstanceUrl), cred, new DigitalTwinsClientOptions {
Transport = new HttpClientTransport(httpClient)
});
// Reading Device ID from message headers
JObject jbody = (JObject)JsonConvert.DeserializeObject(messageBody);
string deviceId = eventData.SystemProperties["iothub-connection-device-id"].ToString();
string dtId = deviceId; // simple mapping
// Extracting temperature from device telemetry
double temperature = Convert.ToDouble(jbody["Temperature"].ToString());
// Update device Temperature property
UpdateOperationsUtility uou = new UpdateOperationsUtility();
uou.AppendAddOp("/Temperature", temperature);
await client.UpdateDigitalTwinAsync(dtId, uou.Serialize());
log.LogInformation($"Updated Temperature of device Twin '{dtId}' to: {temperature}");
}
catch (Exception e)
{
// We need to keep processing the rest of the batch - capture this exception and continue.
exceptions.Add(e);
}
}
if (exceptions.Count > 1)
{
throw new AggregateException(exceptions);
}
if (exceptions.Count == 1)
{
throw exceptions.Single();
}
}
public static async Task Run([EventGridTrigger] EventGridEvent eventGridEvent, ILogger log)
{
// After this is deployed, you need to turn the Identity Status "On",
// Grab Object Id of the function and assigned "Azure Digital Twins Owner (Preview)" role to this function identity
// in order for this function to be authorize on ADT APIs.
DigitalTwinsClient client;
try
{
ManagedIdentityCredential cred = new ManagedIdentityCredential(adtAppId);
client = new DigitalTwinsClient(new Uri(adtInstanceUrl), cred, new DigitalTwinsClientOptions {
Transport = new HttpClientTransport(httpClient)
});
}
catch (Exception e)
{
log.LogError($"ADT service client connection failed. {e}");
return;
}
if (client != null)
{
try
{
if (eventGridEvent != null && eventGridEvent.Data != null)
{
string twinId = eventGridEvent.Subject.ToString();
JObject message = (JObject)JsonConvert.DeserializeObject(eventGridEvent.Data.ToString());
//log.LogInformation($"Reading event from {twinId}: {eventGridEvent.EventType}: {message["data"]}");
//Find and update parent Twin
string parentId = await AdtUtilities.FindParentAsync(client, twinId, "contains", log);
if (parentId != null)
{
// Read properties which values have been changed in each operation
foreach (var operation in message["data"]["patch"])
{
string opValue = (string)operation["op"];
if (opValue.Equals("replace"))
{
string propertyPath = ((string)operation["path"]);
if (propertyPath.Equals("/Temperature") || (propertyPath.Equals("/HumidityLevel")))
{
await AdtUtilities.UpdateTwinPropertyAsync(client, parentId, propertyPath, operation["value"].Value <float>(), log);
}
}
}
}
}
}
catch (Exception e)
{
log.LogError(e.ToString());
}
}
}
