complete the authentication section
This commit is contained in:
Xiaolu Dai
Родитель
b9b07dfe4b
Коммит
6a0888ec93
|
|
@ -1,18 +1,64 @@
|
|||
== Authentication
|
||||
|
||||
=== Authenticate with Azure Active Directory
|
||||
=== DefaultAzureCredential
|
||||
|
||||
The `DefaultAzureCredential` is appropriate for most scenarios where the application is intended to ultimately be run in the Azure Cloud. This is because the DefaultAzureCredential combines credentials commonly used to authenticate when deployed, with credentials used to authenticate in a development environment.
|
||||
|
||||
====
|
||||
Note: DefaultAzureCredential is intended to simplify getting started with the SDK by handling common scenarios with reasonable default behaviors. Developers who want more control or whose scenario isn't served by the default settings should use other credential types.
|
||||
====
|
||||
|
||||
The `DefaultAzureCredential`` will attempt to authenticate via the following mechanisms in order.
|
||||
|
||||
image::https://raw.githubusercontent.com/Azure/azure-sdk-for-java/main/sdk/identity/azure-identity/images/defaultazurecredential.png[]
|
||||
|
||||
- Environment - The `DefaultAzureCredential` will read account information specified via environment variables and use it to authenticate.
|
||||
- Managed Identity - If the application is deployed to an Azure host with Managed Identity enabled, the `DefaultAzureCredential` will authenticate with that account.
|
||||
- IntelliJ - If the developer has authenticated via Azure Toolkit for IntelliJ, the `DefaultAzureCredential` will authenticate with that account.
|
||||
- Visual Studio Code - If the developer has authenticated via the Visual Studio Code Azure Account plugin, the `DefaultAzureCredential` will authenticate with that account.
|
||||
- Azure CLI - If the developer has authenticated an account via the Azure CLI az login command, the `DefaultAzureCredential` will authenticate with that account.
|
||||
|
||||
====
|
||||
*Warning*: There could be some `ERROR` logs be printed out while the `DefaultAzureCredential` running the chain and trying to find the first available credential. It doesn't mean the `DefaultAzureCredential` is broken or unavailable. Meanwhile, we'll keep improving this logging experience.
|
||||
====
|
||||
|
||||
|
||||
=== Managed Identity
|
||||
|
||||
We encourage using manged identity …
|
||||
A common challenge for developers is the management of secrets and credentials used to secure communication between different components making up a solution. Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. Applications may use the managed identity to obtain Azure AD tokens. For example, an application may use a managed identity to access resources like Azure Key Vault where developers can store credentials in a secure manner or to access storage accounts.
|
||||
|
||||
pattern
|
||||
We encourage using manged identity instead of using connection string or key in your application for it's more secure and will save the trouble of managing secrets and credentials. In this case, `DefaultAzureCredential` could better serve the scenario of developing locally using account information stored locally and deploying the application to Azure Cloud and using Manged Identity.
|
||||
|
||||
=== Other Credential Types
|
||||
|
||||
Developers who want more control or whose scenario isn't served by the `DefaultAzureCredential` or whose scenario isn't served by the default settings should use other credential types.
|
||||
|
||||
==== Authentication with Azure Active Directory
|
||||
For applications want to connect to resources that support Azure Active Directory (Azure AD) authentication, below confiugrations could be set with prefix `spring.cloud.azure.credential` or `spring.cloud.azure.<azure-service>.credential`
|
||||
|
||||
|===
|
||||
|Property Name |Description
|
||||
|
||||
|client-id |Client id to use when performing service principal authentication with Azure.
|
||||
|client-serect |Client secret to use when performing service principal authentication with Azure.
|
||||
|credential.client-certificate-path |Client secret to use when performing service principal authentication with Azure.
|
||||
|client-certificate-password |Password of the certificate file.
|
||||
|username |Username to use when performing username/password authentication with Azure.
|
||||
|password |Password to use when performing username/password authentication with Azure.
|
||||
|managed-identity-client-id|Client id to use when using managed identity to authenticate with Azure.
|
||||
|===
|
||||
|
||||
To see the list of all Spring Cloud Azure related configuration properties please check link:appendix.html[the Appendix page].
|
||||
|
||||
==== SAS Token
|
||||
It's also configurable for services support authenticating with Shared Access Signature (SAS). `spring.cloud.azure.<azure-servcie>.sas-token` is the propety to configure. For example, using `spring.cloud.azure.storage.blob.sas-token` to authenticate to Storage Blob service.
|
||||
|
||||
|
||||
==== Connection String
|
||||
|
||||
Connection string are supported by some Azure services to provide connection informantion as well as credentials. To connect to those Azure servcies using connection string, just configure `spring.cloud.azure.<azure-service>.connection-string` will do. For example, `spring.cloud.azure.eventhubs.connection-string` to connect to Event Hubs service.
|
||||
|
||||
=== default token credential chain
|
||||
|
||||
____
|
||||
|
||||
scary error logs
|
||||
|
||||
____
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче