Azure 受控 CCF (受控 CCF) 是一項新的高度安全服務,用於部署機密應用程式。 如需受控 CCF 的詳細資訊,以及範例使用案例,請參閱 關於 Azure 受控機密聯盟架構。
在本快速入門中,您將瞭解如何使用 .NET 用戶端管理程式庫來建立受控 CCF 資源。
如果您沒有 Azure 帳戶,請先建立 免費帳戶 ,再開始。
API 參考文件 | 程式庫原始碼 | 套件 (NuGet)
先決條件
- Azure 訂用帳戶 - 免費建立訂用帳戶。
- 適用於 .NET 的 Azure SDK 支援的 .NET 版本。
- 在執行 Windows 或 Linux 的電腦上開啟 OpenSSL。
設定
建立新的 .NET 主控台應用程式
在命令 shell 中,執行下列命令以建立名為
managedccf-app:dotnet new console --name managedccf-app變更為新建立的 managedccf-app 目錄,並執行下列指令來建置專案:
dotnet build建置輸出不應包含任何警告或錯誤。
Build succeeded. 0 Warning(s) 0 Error(s)
安裝套件
使用 NuGet 安裝適用於 .NET 的 Azure 受控 CCF 用戶端程式庫:
dotnet add package Azure.ResourceManager.ConfidentialLedger --version 1.1.0-beta.2
針對本快速入門,您也必須安裝適用於 Azure 身分識別的 Azure SDK 用戶端程式庫:
dotnet add package Azure.Identity
建立資源群組
資源群組是部署和管理 Azure 資源的邏輯容器。 使用 Azure PowerShell New-AzResourceGroup Cmdlet 在 southcentralus 位置建立名為 myResourceGroup 的資源群組。
New-AzResourceGroup -Name "myResourceGroup" -Location "SouthCentralUS"
註冊資源提供者
建立資源之前,必須先在訂用帳戶中註冊 Azure 受控 CCF 資源類型。
az feature registration create --namespace Microsoft.ConfidentialLedger --name ManagedCCF
az provider register --namespace Microsoft.ConfidentialLedger
建立成員
產生成員的金鑰組。 下列指令完成後,成員的公開金鑰會儲存在 中 member0_cert.pem ,而私密金鑰會儲存在 member0_privk.pem中。
openssl ecparam -out "member0_privk.pem" -name "secp384r1" -genkey
openssl req -new -key "member0_privk.pem" -x509 -nodes -days 365 -out "member0_cert.pem" -"sha384" -subj=/CN="member0"
建立 .NET 應用程式
使用管理平面用戶端程式庫
適用於 .NET 的 Azure SDK (azure/arm-confidentialledger) 允許對受控 CCF 資源進行作業,例如建立和刪除、列出與訂用帳戶相關聯的資源,以及檢視特定資源的詳細數據。 下列程式碼片段會建立並檢視受控 CCF 資源的屬性。
將下列指示詞新增至 Program.cs頂端:
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.ConfidentialLedger;
using Azure.ResourceManager.ConfidentialLedger.Models;
using Azure.ResourceManager.Resources;
驗證並建立用戶端
在本快速入門中,登入的使用者可用來向 Azure 受控 CCF 進行驗證,這是本機開發的慣用方法。 此範例使用 Azure 身分識別程式庫中的 'DefaultAzureCredential()' 類別,可讓在不同環境中使用相同的程式碼,並提供不同的選項來提供身分識別。
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
建立 Azure Resource Manager 用戶端,並使用權杖認證進行驗證。
// authenticate your client
ArmClient client = new ArmClient(cred);
建立受控 CCF 資源
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
string resourceGroupName = "myResourceGroup";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this ManagedCcfResource
ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();
// invoke the operation
string appName = "confidentialbillingapp";
ManagedCcfData data = new ManagedCcfData(new AzureLocation("SouthCentralUS"))
{
Properties = new ManagedCcfProperties()
{
MemberIdentityCertificates =
{
new ConfidentialLedgerMemberIdentityCertificate()
{
Certificate = "-----BEGIN CERTIFICATE-----MIIBsjCCATigA...LjYAGDSGi7NJnSkA-----END CERTIFICATE-----",
Encryptionkey = "",
Tags = BinaryData.FromObjectAsJson(new Dictionary<string, object>()
{
["additionalProps1"] = "additional properties"
}),
}
},
DeploymentType = new ConfidentialLedgerDeploymentType()
{
LanguageRuntime = ConfidentialLedgerLanguageRuntime.JS,
AppSourceUri = new Uri(""),
},
NodeCount = 3,
},
Tags =
{
["additionalProps1"] = "additional properties",
},
};
ArmOperation<ManagedCcfResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, appName, data);
ManagedCcfResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
檢視受控 CCF 資源的屬性
下列程式碼片段會擷取 Managed CCF 資源,並列印其屬性。
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
string resourceGroupName = "myResourceGroup";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this ManagedCcfResource
ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();
// invoke the operation
string appName = "confidentialbillingapp";
ManagedCcfResource result = await collection.GetAsync(appName);
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
列出資源群組中的受管理 CCF 資源
下列程式碼片段會擷取資源群組中的受控 CCF 資源。
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
string resourceGroupName = "myResourceGroup";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this ManagedCcfResource
ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();
// invoke the operation and iterate over the result
await foreach (ManagedCcfResource item in collection.GetAllAsync())
{
// the variable item is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = item.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}
Console.WriteLine($"Succeeded");
列出訂用帳戶中的受控 CCF 資源
下列程式碼片段會擷取訂用帳戶中的受控 CCF 資源。
// this example assumes you already have this SubscriptionResource created on azure
// for more information of creating SubscriptionResource, please refer to the document of SubscriptionResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);
SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);
// invoke the operation and iterate over the result
await foreach (ManagedCcfResource item in subscriptionResource.GetManagedCcfsAsync())
{
// the variable item is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = item.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}
Console.WriteLine($"Succeeded");
清理資源
其他受控 CCF 文章可以建立在此快速入門之上。 如果您打算繼續使用後續的快速入門和教學課程,您可能想要保留這些資源。
否則,當您完成本文中建立的資源時,請使用 Azure CLI az group delete 命令來刪除資源群組及其所有包含的資源。
az group delete --resource-group myResourceGroup
後續步驟
在本快速入門中,您已使用適用於機密分類帳的 Azure Python SDK 建立受控 CCF 資源。 若要深入瞭解 Azure 受控 CCF 以及如何將它與您的應用程式整合,請繼續閱讀下列文章: