public static IServiceCollection AddKeyVault(this IServiceCollection services, IConfiguration configuration)
{
var aadSettings = configuration.GetConfiguredSettings <AadSettings>();
var vaultSettings = configuration.GetConfiguredSettings <VaultSettings>();
IKeyVaultClient kvClient;
if (vaultSettings.AuthMode == VaultAuthMode.Msi)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
kvClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
}
else
{
var authBuilder = new AadTokenProvider(aadSettings);
Task <string> AuthCallback(string authority, string resource, string scope)
{
return(authBuilder.GetAccessTokenAsync(resource));
}
kvClient = new KeyVaultClient(AuthCallback);
}
services.AddSingleton(kvClient);
return(services);
}
/// <summary>
/// using pre-configured spn to access key vault, then retrieve sas/conn string for storage
/// </summary>
/// <returns></returns>
private bool TryCreateClientFromKeyVault()
{
_logger.LogInformation("trying to access hub from kv...");
try
{
var authBuilder = new AadTokenProvider(_aadSettings);
Task <string> AuthCallback(string authority, string resource, string scope)
{
return(authBuilder.GetAccessTokenAsync(resource));
}
var kvClient = new KeyVaultClient(AuthCallback);
var connStrSecret = kvClient
.GetSecretAsync(_vaultSettings.VaultUrl, _hubSettings.ConnectionStringSecretName).Result;
Consumer = new EventHubConsumerClient(_consumerGroupName, connStrSecret.Value, _hubSettings.HubName);
var partitionKeys = Consumer.GetPartitionIdsAsync().GetAwaiter().GetResult();
_logger.LogInformation(
$"Succeed to access hub using conn str from kv, partition keys: {string.Join(",", partitionKeys)}");
return(true);
}
catch (Exception ex)
{
_logger.LogError(ex, "faield to access hub from kv...");
return(false);
}
}
/// <summary>
/// using pre-configured spn to access storage, secret must be provided for spn authentication
/// </summary>
/// <returns></returns>
private void TryCreateUsingSpn()
{
logger.LogInformation("trying to access blob using spn...");
try
{
var authBuilder = new AadTokenProvider(aadSettings);
Func <string, string> getSecretFromVault =
secretName => kvClient.GetSecretAsync(vaultSettings.VaultUrl, secretName).GetAwaiter().GetResult().Value;
Func <string, X509Certificate2> getCertFromVault =
secretName => kvClient.GetX509CertificateAsync(vaultSettings.VaultUrl, secretName).GetAwaiter().GetResult();
var clientCredential = authBuilder.GetClientCredential(getSecretFromVault, getCertFromVault);
BlobContainerClient containerClient;
if (clientCredential.secretCredential != null)
{
containerClient = new BlobContainerClient(
new Uri(blobSettings.ContainerEndpoint),
clientCredential.secretCredential);
CreateContainerClient = name =>
new BlobContainerClient(
new Uri($"https://{blobSettings.Account}.blob.core.windows.net/{name}"),
clientCredential.secretCredential);
BlobService = new BlobServiceClient(
new Uri($"https://{blobSettings.Account}.blob.core.windows.net/"),
clientCredential.secretCredential);
}
else
{
containerClient = new BlobContainerClient(
new Uri(blobSettings.ContainerEndpoint),
clientCredential.certCredential);
CreateContainerClient = name =>
new BlobContainerClient(
new Uri($"https://{blobSettings.Account}.blob.core.windows.net/{name}"),
clientCredential.certCredential);
BlobService = new BlobServiceClient(
new Uri($"https://{blobSettings.Account}.blob.core.windows.net/"),
clientCredential.certCredential);
}
TryRecreateTestBlob(containerClient);
logger.LogInformation("Succeed to access blob using msi");
ContainerClient = containerClient;
}
catch (Exception ex)
{
logger.LogWarning($"faield to access blob using spn.\nerror:{ex.Message}");
}
}
/// <summary>
/// using pre-configured spn to access storage, secret must be provided for spn authentication
/// </summary>
/// <returns></returns>
private void TryCreateClientUsingSpn()
{
logger.LogInformation("trying to access queue using spn...");
try
{
var authBuilder = new AadTokenProvider(aadSettings);
Func <string, string> getSecretFromVault =
secretName => kvClient.GetSecretAsync(vaultSettings.VaultUrl, secretName).GetAwaiter().GetResult().Value;
Func <string, X509Certificate2> getCertFromVault =
secretName => kvClient.GetX509CertificateAsync(vaultSettings.VaultUrl, secretName).GetAwaiter().GetResult();
var clientCredential = authBuilder.GetClientCredential(getSecretFromVault, getCertFromVault);
QueueServiceClient queueServiceClient;
if (clientCredential.secretCredential != null)
{
queueServiceClient = new QueueServiceClient(new Uri(queueSettings.AccountServiceUrl),
clientCredential.secretCredential);
}
else
{
queueServiceClient = new QueueServiceClient(new Uri(queueSettings.AccountServiceUrl),
clientCredential.certCredential);
}
VerifyQueueServiceClient(queueServiceClient, queueSettings.QueueName);
QueueClient = queueServiceClient.GetQueueClient(queueSettings.QueueName);
DeadLetterQueueClient = queueServiceClient.GetQueueClient(queueSettings.DeadLetterQueueName);
using var availableQueues = queueServiceClient.GetQueues().GetEnumerator();
while (availableQueues.MoveNext())
{
if (availableQueues.Current?.Name == queueSettings.QueueName)
{
logger.LogInformation("Succeed to access queue using spn");
return;
}
}
logger.LogInformation($"Unabe to find queue with name {queueSettings.QueueName}");
}
catch (Exception ex)
{
logger.LogWarning($"faield to access queue using spn. \nerror{ex.Message}");
}
}
/// <summary>
/// using pre-configured spn to access key vault, then retrieve sas/conn string for storage
/// </summary>
/// <returns></returns>
private bool TryCreateClientFromKeyVault()
{
logger.LogInformation("trying to access hub from kv...");
try
{
IKeyVaultClient kvClient;
if (string.IsNullOrEmpty(aadSettings.ClientCertFile) &&
string.IsNullOrEmpty(aadSettings.ClientSecretFile))
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
kvClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
}
else
{
var authBuilder = new AadTokenProvider(aadSettings);
Task <string> AuthCallback(string authority, string resource, string scope)
{
return(authBuilder.GetAccessTokenAsync(resource));
}
kvClient = new KeyVaultClient(AuthCallback);
}
var connStrSecret = kvClient
.GetSecretAsync(vaultSettings.VaultUrl, hubSettings.ConnectionStringSecretName).Result;
Producer = new EventHubProducerClient(connStrSecret.Value, hubSettings.HubName);
var partitionKeys = Producer.GetPartitionIdsAsync().GetAwaiter().GetResult();
logger.LogInformation(
$"Succeed to access hub using conn str from kv, partition keys: {string.Join(",", partitionKeys)}");
return(true);
}
catch (Exception ex)
{
logger.LogError(ex, "faield to access hub from kv...");
return(false);
}
}
/// <summary>
/// using pre-configured spn to access storage, secret must be provided for spn authentication
/// </summary>
/// <returns></returns>
private bool TryCreateClientUsingSpn()
{
logger.LogInformation("trying to access hub using spn...");
try
{
var authBuilder = new AadTokenProvider(aadSettings);
var accessToken = authBuilder.GetAccessTokenAsync("https://storage.azure.com/").GetAwaiter()
.GetResult();
var tokenCredential =
new ClientSecretCredential(aadSettings.TenantId, aadSettings.ClientId, accessToken);
Producer = new EventHubProducerClient(hubSettings.Namespace, hubSettings.HubName, tokenCredential);
var partitionKeys = Producer.GetPartitionIdsAsync().GetAwaiter().GetResult();
logger.LogInformation(
$"Succeed to access hub using spn, partition keys: {string.Join(",", partitionKeys)}");
return(true);
}
catch (Exception ex)
{
logger.LogError(ex, "faield to access hub using spn...");
return(false);
}
}
public KustoClientFactory(IServiceProvider serviceProvider, KustoSettings kustoSettings = null)
{
var configuration = serviceProvider.GetRequiredService <IConfiguration>();
var aadSettings = configuration.GetConfiguredSettings <AadSettings>();
kustoSettings = kustoSettings ?? configuration.GetConfiguredSettings <KustoSettings>();
var vaultSettings = configuration.GetConfiguredSettings <VaultSettings>();
var kvClient = serviceProvider.GetRequiredService <IKeyVaultClient>();
Func <string, string> getSecretFromVault =
secretName => kvClient.GetSecretAsync(vaultSettings.VaultUrl, secretName).GetAwaiter().GetResult().Value;;
Func <string, X509Certificate2> getCertFromVault =
secretName => kvClient.GetX509CertificateAsync(vaultSettings.VaultUrl, secretName).GetAwaiter().GetResult();
var authBuilder = new AadTokenProvider(aadSettings);
var clientSecretCert = authBuilder.GetClientSecretOrCert(getSecretFromVault, getCertFromVault);
KustoConnectionStringBuilder kcsb;
if (clientSecretCert.secret != null)
{
kcsb = new KustoConnectionStringBuilder($"{kustoSettings.ClusterUrl}")
.WithAadApplicationKeyAuthentication(
aadSettings.ClientId,
clientSecretCert.secret,
aadSettings.Authority);
}
else
{
kcsb = new KustoConnectionStringBuilder($"{kustoSettings.ClusterUrl}")
.WithAadApplicationCertificateAuthentication(
aadSettings.ClientId,
clientSecretCert.cert,
aadSettings.Authority);
}
QueryQueryClient = global::Kusto.Data.Net.Client.KustoClientFactory.CreateCslQueryProvider(kcsb);
AdminClient = global::Kusto.Data.Net.Client.KustoClientFactory.CreateCslAdminProvider(kcsb);
IngestClient = KustoIngestFactory.CreateDirectIngestClient(kcsb);
}
