你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
快速入门:使用 Azure SDK for .NET 创建 Azure 托管 CCF 资源
Azure 托管 CCF(托管 CCF)是一项用于部署机密应用程序的全新且高度安全的服务。 有关托管 CCF 的详细信息以及用例示例,请参阅关于 Azure 托管机密联盟框架。
本快速入门介绍如何使用 .NET 客户端管理库创建托管 CCF 资源。
如果没有 Azure 订阅,请在开始之前创建一个 Azure 免费帐户。
先决条件
- Azure 订阅 - 免费创建订阅。
- Azure SDK for .NET 支持的 .NET 版本。
- 在运行 Windows 或 Linux 的计算机上的 OpenSSL。
安装
创建新的 .NET 控制台应用
在命令外壳中,运行以下命令以创建名为
managedccf-app的项目:dotnet new console --name managedccf-app切换到新创建的 acl-app 目录,然后运行以下命令来生成项目:
dotnet build生成输出不应包含警告或错误。
Build succeeded. 0 Warning(s) 0 Error(s)
安装包
使用 NuGet 安装适用于 .NET 的 Azure 托管 CCF 客户端库:
dotnet add package Azure.ResourceManager.ConfidentialLedger --version 1.1.0-beta.2
对于本快速入门,还需要安装适用于 Azure Identity 的 Azure SDK 客户端库:
dotnet add package Azure.Identity
创建资源组
资源组是在其中部署和管理 Azure 资源的逻辑容器。 使用 Azure PowerShell New-AzResourceGroup cmdlet 在 southcentralus 位置创建一个名为 myResourceGroup 的资源组。
New-AzResourceGroup -Name "myResourceGroup" -Location "SouthCentralUS"
注册资源提供程序
创建资源之前,必须在订阅中注册 Azure 托管 CCF 资源类型。
az feature registration create --namespace Microsoft.ConfidentialLedger --name ManagedCCF
az provider register --namespace Microsoft.ConfidentialLedger
创建成员
为成员生成密钥对。 以下命令完成后,成员的公钥保存在 member0_cert.pem 中,私钥保存在 member0_privk.pem 中。
openssl ecparam -out "member0_privk.pem" -name "secp384r1" -genkey
openssl req -new -key "member0_privk.pem" -x509 -nodes -days 365 -out "member0_cert.pem" -"sha384" -subj=/CN="member0"
创建 .NET 应用程序
使用管理平面客户端库
Azure SDK for .NET 库 (azure/arm-confidentialledger) 允许对托管 CCF 资源进行操作,例如创建和删除、列出与订阅关联的资源以及查看特定资源的详细信息。 以下代码片段可创建并查看托管 CCF 资源的属性。
在 Program.cs 的顶部添加以下指令:
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.ConfidentialLedger;
using Azure.ResourceManager.ConfidentialLedger.Models;
using Azure.ResourceManager.Resources;
进行身份验证并创建客户端
本快速入门使用登录用户向 Azure 托管 CCF 进行身份验证,这是本地开发的首选方法。 此示例使用 Azure 标识库的“DefaultAzureCredential()”类,该类允许在具有不同选项的不同环境中使用相同代码提供标识。
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://video2.skills-academy.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
创建 Azure 资源管理器客户端并使用令牌凭据进行身份验证。
// authenticate your client
ArmClient client = new ArmClient(cred);
创建托管 CCF 资源
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
string resourceGroupName = "myResourceGroup";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this ManagedCcfResource
ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();
// invoke the operation
string appName = "confidentialbillingapp";
ManagedCcfData data = new ManagedCcfData(new AzureLocation("SouthCentralUS"))
{
Properties = new ManagedCcfProperties()
{
MemberIdentityCertificates =
{
new ConfidentialLedgerMemberIdentityCertificate()
{
Certificate = "-----BEGIN CERTIFICATE-----MIIBsjCCATigA...LjYAGDSGi7NJnSkA-----END CERTIFICATE-----",
Encryptionkey = "",
Tags = BinaryData.FromObjectAsJson(new Dictionary<string, object>()
{
["additionalProps1"] = "additional properties"
}),
}
},
DeploymentType = new ConfidentialLedgerDeploymentType()
{
LanguageRuntime = ConfidentialLedgerLanguageRuntime.JS,
AppSourceUri = new Uri(""),
},
NodeCount = 3,
},
Tags =
{
["additionalProps1"] = "additional properties",
},
};
ArmOperation<ManagedCcfResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, appName, data);
ManagedCcfResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
查看托管 CCF 资源的属性
以下代码片段检索托管 CCF 资源并输出其属性。
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
string resourceGroupName = "myResourceGroup";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this ManagedCcfResource
ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();
// invoke the operation
string appName = "confidentialbillingapp";
ManagedCcfResource result = await collection.GetAsync(appName);
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
列出资源组中的托管 CCF 资源
以下代码片段检索资源组中的托管 CCF 资源。
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
string resourceGroupName = "myResourceGroup";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this ManagedCcfResource
ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();
// invoke the operation and iterate over the result
await foreach (ManagedCcfResource item in collection.GetAllAsync())
{
// the variable item is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = item.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}
Console.WriteLine($"Succeeded");
列出订阅中的托管 CCF 资源
以下代码片段检索订阅中的托管 CCF 资源。
// this example assumes you already have this SubscriptionResource created on azure
// for more information of creating SubscriptionResource, please refer to the document of SubscriptionResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);
SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);
// invoke the operation and iterate over the result
await foreach (ManagedCcfResource item in subscriptionResource.GetManagedCcfsAsync())
{
// the variable item is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = item.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}
Console.WriteLine($"Succeeded");
清理资源
其他托管 CCF 文章可以根据本快速入门编写。 如果打算继续使用后续的快速入门和教程,则可能需要保留这些资源。
否则,当完成本文中创建的资源后,请使用 Azure CLI az group delete 命令删除资源组及其包含的所有资源。
az group delete --resource-group myResourceGroup
后续步骤
在本快速入门中,你使用 Azure Python SDK for Confidential Ledger 创建了托管 CCF 资源。 要详细了解 Azure 托管 CCF 以及如何将其与应用程序集成,请继续阅读以下文章: