[英]Azure Service Bus authentication with User Assigned Managed Identities
We need run apps accessing Azure Service Bus (ASB) from Azure App Services and Azure Functions.我们需要运行从 Azure 应用服务和 Azure 函数访问 Azure 服务总线 (ASB) 的应用。 We need to auth using user assigned identities.
我们需要使用用户分配的身份进行身份验证。 We write following code that works with system-assigned identities, but not user-assigned identities:
我们编写以下代码来处理系统分配的身份,而不是用户分配的身份:
var tokenProvider = TokenProvider.CreateManagedIdentityTokenProvider();
var managementClient = new ManagementClient(serviceBusEndpoint, tokenProvider);
if(await managementClient.QueueExistsAsync(queueName))
{
return new OkObjectResult($"Queue with name {queueName} exists.");
}
else
{
return new OkObjectResult($"Queue with name {queueName} doesn't exist.");
}
This error are thrown:抛出此错误:
Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://servicebus.azure.net/, Authority: . Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connection String: [No connection string specified], Resource: https://servicebus.azure.net/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. MSI ResponseCode: BadRequest, Response: {"StatusCode":400,"Message":"No MSI found for specified ClientId/ResourceId.","CorrelationId":"dd2bcf6c-6f1d-489e-b178-ca6007502841"}
Parameters: Connection String: [No connection string specified], Resource: https://servicebus.azure.net/, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "D:\local\LocalAppData\.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connection String: [No connection string specified], Resource: https://servicebus.azure.net/, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
operable program or batch file.
at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAccessTokenAsyncImpl(String authority, String resource, String scope)
at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.GetAccessTokenAsync(String resource, String tenantId)
at Microsoft.Azure.ServiceBus.Primitives.ManagedIdentityTokenProvider.GetTokenAsync(String appliesTo, TimeSpan timeout)
at Microsoft.Azure.ServiceBus.Management.ManagementClient.GetToken(String requestUri)
at Microsoft.Azure.ServiceBus.Management.ManagementClient.SendHttpRequest(HttpRequestMessage request, CancellationToken cancellationToken)
at Microsoft.Azure.ServiceBus.Management.ManagementClient.GetEntity(String path, String query, Boolean enrich, CancellationToken cancellationToken)
at Microsoft.Azure.ServiceBus.Management.ManagementClient.GetQueueAsync(String queuePath, CancellationToken cancellationToken)
at Microsoft.Azure.ServiceBus.Management.ManagementClient.QueueExistsAsync(String queuePath, CancellationToken cancellationToken)
So core error is No MSI found for specified ClientId/ResourceId.
所以核心错误是
No MSI found for specified ClientId/ResourceId.
. . Looks like we need specify client id.
看起来我们需要指定客户端 ID。 Then we found https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity with
ManagedIdentityCredential
where we can specify client id, but haven't figured yet out how to use it for ASB.然后我们找到了https://github.com/Azure/azure-sdk-for-net/tree/master/sdk/identity/Azure.Identity with
ManagedIdentityCredential
在这里我们可以指定客户端 ID,但还没有想出如何将其用于 ASB。
Other option is using HTTP GET request to MSI_ENDPOINT as described here https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?context=azure%2Factive-directory%2Fmanaged-identities-azure-resources%2Fcontext%2Fmsi-context&tabs=dotnet#obtaining-tokens-for-azure-resources , but may be real working .net library exists that we missed.其他选项是使用 HTTP GET 请求到 MSI_ENDPOINT,如下所述https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?context=azure%2Factive-directory%2Fmanaged-identities- azure-resources%2Fcontext%2Fmsi-context&tabs=dotnet#obtaining-tokens-for-azure-resources ,但可能是我们错过的真正可用的 .net 库。
I'm on the Azure SDK team.我在 Azure SDK 团队。 We are in the process of unifying all Azure SDKs here: https://aka.ms/azsdkpackages , but do not have a new Service Bus SDK yet.
我们正在这里统一所有 Azure SDK: https : //aka.ms/azsdkpackages ,但还没有新的服务总线 SDK。
I haven't attempted user-assigned Identities with the TokenProvider API, but I do know that it works with the new DefaultAzureCredential object, which will search for creds in your environment, and automatically picks up the Managed Identity endpoints.我没有尝试使用 TokenProvider API 进行用户分配的身份,但我知道它可以与新的 DefaultAzureCredential 对象一起使用,该对象将在您的环境中搜索凭证,并自动选择托管身份端点。 You can read more about it here: https://docs.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet
您可以在此处阅读更多相关信息: https : //docs.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet
You can't however use DefaultAzureCredential directly because ServiceBus accepts ITokenProvider.但是,您不能直接使用 DefaultAzureCredential,因为 ServiceBus 接受 ITokenProvider。
In the meantime, you can use this adapter I created - which is just a stopgap until we have the Service Bus SDK.同时,您可以使用我创建的这个适配器 - 在我们拥有 Service Bus SDK 之前,这只是一个权宜之计。
Add the Azure.Identity and Azure.Core nuget packages to your project.将 Azure.Identity 和 Azure.Core nuget 包添加到你的项目中。
Copy this file to your project: https://github.com/jongio/azidext/blob/master/net/JonGallant.Azure.Identity.Extensions/DefaultAzureServiceBusCredential.cs将此文件复制到您的项目: https : //github.com/jongio/azidext/blob/master/net/JonGallant.Azure.Identity.Extensions/DefaultAzureServiceBusCredential.cs
Here's a sample usage https://github.com/jongio/azidext/blob/master/net/JonGallant.Azure.Identity.Extensions.Tests/ServiceBus/ServiceBusTests.cs这是一个示例用法https://github.com/jongio/azidext/blob/master/net/JonGallant.Azure.Identity.Extensions.Tests/ServiceBus/ServiceBusTests.cs
You can set the client id, secret, and tenant id with the following Environment variables:您可以使用以下环境变量设置客户端 ID、机密和租户 ID:
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZURE_TENANT_ID
If you have to use TokenProvider and don't want to use the stopgap, then please let me know and I can research it further.如果您必须使用 TokenProvider 并且不想使用权宜之计,那么请告诉我,我可以进一步研究。
TokenProvider.CreateManagedIdentityTokenProvider takes a dependency on Microsoft.Azure.Services.AppAuthentication for implementing Managed Identity. TokenProvider.CreateManagedIdentityTokenProvider 依赖于Microsoft.Azure.Services.AppAuthentication来实现托管标识。
User-assigned Managed Identity is supported from version 1.2.1 of Microsoft.Azure.Services.AppAuthentication. Microsoft.Azure.Services.AppAuthentication 1.2.1 版支持用户分配的托管标识。 Documentation can be found here .
文档可以在这里找到。
So, you have to do two things to make this work with the code you already have:因此,您必须做两件事才能使用您已有的代码进行此操作:
1.Update the version of Microsoft.Azure.Services.AppAuthentication to the latest 1.更新Microsoft.Azure.Services.AppAuthentication版本到最新
2.Set AzureServicesAuthConnectionString in the App settings of the AppService to RunAs=App;AppId={ClientId of user-assigned identity}. 2.在AppService的App设置中设置AzureServicesAuthConnectionString为RunAs=App;AppId={ClientId of user-assigned identity}。 eg RunAs=App;AppId=587f16c8-81ed-41c7-b19a-9ded0dbe2ca2
例如 RunAs=App;AppId=587f16c8-81ed-41c7-b19a-9ded0dbe2ca2
Once you do these two steps, your code should be using user-assigned managed identity.完成这两个步骤后,您的代码应该使用用户分配的托管标识。 I tried this out with an App Service it worked fine for me.
我用一个应用服务尝试了这个,它对我来说很好用。
As of today we can get user assigned working with following code.截至今天,我们可以使用以下代码分配用户。
var managedCredential = new ManagedIdentityCredential(userAssignedIdentityAppId);
var accessToken = await _managedCredential.GetTokenAsync(
new TokenRequestContext(
new[] { "https://servicebus.azure.net" })).ConfigureAwait(false);
It works with "https://servicebus.azure.net/.default"
as well.它也适用于
"https://servicebus.azure.net/.default"
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.