快速入門:使用 Azure SDK for .NET 建立 Azure 受控 CCF 資源
Azure 受控 CCF (受控 CCF) 是部署機密應用程式新型且高度安全的服務。 如需受控 CCF 的詳細資訊,以及範例使用案例,請參閱關於 Azure 受控機密聯盟架構。
在本快速入門中,您將了解如何使用 .NET 用戶端管理程式庫來建立受控 CCF 資源。
如果您沒有 Azure 訂用帳戶,請在開始之前先建立 Azure 免費帳戶。
API 參考文件 | 程式庫原始程式碼 | 套件 (NuGet)
必要條件
- Azure 訂用帳戶 - 建立免費帳戶。
- Azure SDK for .NET 支援的 .NET 版本。
- 在執行 Windows 或 Linux 的電腦上具有 OpenSSL。
設定
建立新的 .NET 主控台應用程式
在命令殼層中,執行下列命令以建立名為
managedccf-app的專案:dotnet new console --name managedccf-app變更為新建立的 managedccf-app 目錄,然後執行下列命令來建置專案:
dotnet build建置輸出應該不會有警告或錯誤。
Build succeeded. 0 Warning(s) 0 Error(s)
Install the package
使用 NuGet 安裝適用於 .NET 的 Azure 受控 CCF 用戶端程式庫:
dotnet add package Azure.ResourceManager.ConfidentialLedger --version 1.1.0-beta.2
針對本快速入門,您也需要安裝適用於 Azure 身分識別的 Azure SDK 用戶端程式庫:
dotnet add package Azure.Identity
建立資源群組
資源群組是在其中部署與管理 Azure 資源的邏輯容器。 使用 Azure PowerShell New-AzResourceGroup Cmdlet,在 southcentralus 位置中建立名為 myResourceGroup 的資源群組。
New-AzResourceGroup -Name "myResourceGroup" -Location "SouthCentralUS"
註冊資源提供者
在建立資源之前,必須先在訂用帳戶中註冊 Azure 受控 CCF 資源類型。
az feature registration create --namespace Microsoft.ConfidentialLedger --name ManagedCCF
az provider register --namespace Microsoft.ConfidentialLedger
建立成員
產生成員的金鑰組。 在下列命令完成之後,成員的公開金鑰會儲存在 member0_cert.pem 中,而私密金鑰則儲存在 member0_privk.pem 中。
openssl ecparam -out "member0_privk.pem" -name "secp384r1" -genkey
openssl req -new -key "member0_privk.pem" -x509 -nodes -days 365 -out "member0_cert.pem" -"sha384" -subj=/CN="member0"
建立 .NET 應用程式
使用管理平面用戶端程式庫
Azure SDK for .NET (azure/arm-confidentialledger) 允許管理 CCF 資源的作業,例如建立及刪除、列出與訂用帳戶相關聯的資源,以及檢視特定資源的詳細資料。 下列程式碼片段會建立及檢視受控 CCF 資源的屬性。
將下列指示詞新增至 Program.cs 的上方:
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.ConfidentialLedger;
using Azure.ResourceManager.ConfidentialLedger.Models;
using Azure.ResourceManager.Resources;
驗證並建立用戶端
在本快速入門中,已登入的使用者是用來向 Azure 受控 CCF 進行驗證,這是本機開發的慣用方法。 這個範例使用來自 Azure 身分識別程式庫的 'DefaultAzureCredential()' 類別,允許在各種不同的環境中使用相同的程式碼,搭配不同的選項來提供身分識別。
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://video2.skills-academy.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
建立 Azure Resource Manager 用戶端,並使用權杖認證進行驗證。
// authenticate your client
ArmClient client = new ArmClient(cred);
建立受控 CCF 資源
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
string resourceGroupName = "myResourceGroup";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this ManagedCcfResource
ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();
// invoke the operation
string appName = "confidentialbillingapp";
ManagedCcfData data = new ManagedCcfData(new AzureLocation("SouthCentralUS"))
{
Properties = new ManagedCcfProperties()
{
MemberIdentityCertificates =
{
new ConfidentialLedgerMemberIdentityCertificate()
{
Certificate = "-----BEGIN CERTIFICATE-----MIIBsjCCATigA...LjYAGDSGi7NJnSkA-----END CERTIFICATE-----",
Encryptionkey = "",
Tags = BinaryData.FromObjectAsJson(new Dictionary<string, object>()
{
["additionalProps1"] = "additional properties"
}),
}
},
DeploymentType = new ConfidentialLedgerDeploymentType()
{
LanguageRuntime = ConfidentialLedgerLanguageRuntime.JS,
AppSourceUri = new Uri(""),
},
NodeCount = 3,
},
Tags =
{
["additionalProps1"] = "additional properties",
},
};
ArmOperation<ManagedCcfResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, appName, data);
ManagedCcfResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
檢視受控 CCF 資源的屬性
下列程式碼片段會擷取受控 CCF 資源,並列印其屬性。
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
string resourceGroupName = "myResourceGroup";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this ManagedCcfResource
ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();
// invoke the operation
string appName = "confidentialbillingapp";
ManagedCcfResource result = await collection.GetAsync(appName);
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
列出資源群組中的受控 CCF 資源
下列程式碼片段會擷取資源群組中的受控 CCF 資源。
// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
string resourceGroupName = "myResourceGroup";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);
// get the collection of this ManagedCcfResource
ManagedCcfCollection collection = resourceGroupResource.GetManagedCcfs();
// invoke the operation and iterate over the result
await foreach (ManagedCcfResource item in collection.GetAllAsync())
{
// the variable item is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = item.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}
Console.WriteLine($"Succeeded");
列出訂用帳戶中的受控 CCF 資源
下列程式碼片段會擷取訂用帳戶中的受控 CCF 資源。
// this example assumes you already have this SubscriptionResource created on azure
// for more information of creating SubscriptionResource, please refer to the document of SubscriptionResource
string subscriptionId = "0000000-0000-0000-0000-000000000001";
ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);
SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);
// invoke the operation and iterate over the result
await foreach (ManagedCcfResource item in subscriptionResource.GetManagedCcfsAsync())
{
// the variable item is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
ManagedCcfData resourceData = item.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}
Console.WriteLine($"Succeeded");
清除資源
其他受控 CCF 文章可以建置在本快速入門的基礎上。 如果您打算繼續進行後續的快速入門和教學課程,可以讓這些資源留在原處。
否則,當您完成本文中建立的資源時,請使用 Azure CLI az group delete 命令來刪除資源群組及其包含的所有資源。
az group delete --resource-group myResourceGroup
下一步
在本快速入門中,您使用適用於機密總帳的 Azure Python SDK 建立了受控 CCF 資源。 若要深入了解 Azure 受控 CCF 及如何與應用程式整合,請繼續閱讀下列文章: