若要运行本文中的示例,请创建可以访问资源的 Azure AD 应用程序和服务主体。 可以在订阅范围添加角色分配,并获取所需的 Azure AD Directory (tenant) ID、Application ID 和 Application Secret。
以下代码片段演示如何使用 Microsoft 身份验证库 (MSAL) 获取 Azure AD 应用程序令牌以访问你的群集。 若要此流成功,应用程序必须注册到 Azure AD,并且你必须有用于应用程序身份验证的凭据,例如 Azure AD 颁发的应用程序密钥或向 Azure AD 注册的 X.509v2 证书。
配置客户管理的密钥
默认情况下,Azure 数据资源管理器加密使用 Microsoft 托管密钥。 将 Azure 数据资源管理器群集配置为使用客户托管密钥,并指定要与群集关联的密钥。
使用以下代码更新群集:
var tenantId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; // Azure AD Directory (tenant) ID
var clientId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx"; // Application ID
var clientSecret = "PlaceholderClientSecret"; // Application secret
var subscriptionId = "xxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx";
// Create a confidential authentication client for Azure AD:
var authClient = ConfidentialClientApplicationBuilder.Create(clientId)
.WithAuthority($"https://login.microsoftonline.com/{tenantId}")
.WithClientSecret(clientSecret) // can be replaced by .WithCertificate to authenticate with an X.509 certificate
.Build();
// Acquire application token
var result = authClient.AcquireTokenForClient(
new[] { "https://management.core.windows.net/.default" } // Define scopes for accessing Azure management plane
).ExecuteAsync().Result;
var credentials = new TokenCredentials(result.AccessToken, result.TokenType);
var kustoManagementClient = new KustoManagementClient(credentials) { SubscriptionId = subscriptionId };
var resourceGroupName = "testrg";
var clusterName = "mykustocluster";
var clusterPatch = new ClusterUpdate(
keyVaultProperties: new KeyVaultProperties(
keyName: "<keyName>",
keyVersion: "<keyVersion>", // Optional, leave as NULL for the latest version of the key.
keyVaultUri: "https://<keyVaultName>.vault.azure.net/",
userIdentity: "/subscriptions/<identitySubscriptionId>/resourcegroups/<identityResourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identityName>" // Use NULL if you want to use system assigned identity.
)
);
await kustoManagementClient.Clusters.UpdateAsync(resourceGroupName, clusterName, clusterPatch);
运行以下命令,检查群集是否已成功更新:
var clusterData = await kustoManagementClient.Clusters.GetAsync(resourceGroupName, clusterName);