[英]Read Azure KeyVault Secret from Function App
This Python script is deployed to run from Azure Function App on Linux Consumption plan, This script is expected to read secrets from Azure Key Vault. This Python script is deployed to run from Azure Function App on Linux Consumption plan, This script is expected to read secrets from Azure Key Vault.
Apart from code deployment, following configurations are made除代码部署外,还进行以下配置
1.)System Assigned Managed Access Enabled for Azure Function App 1.)为 Azure Function 应用启用系统分配的托管访问
2.)Azure Key Vault's Role Assignments Reference this Function App with >Reader role. 2.) Azure Key Vault 的角色分配参考此 Function 应用程序,具有 >Reader 角色。
Here is the script from > > > init.py这是来自 > > > init.py的脚本
def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
# Get url and filename from postman by using POST method
#identity = ManagedIdentityCredential()
credentials = DefaultAzureCredential()
secretClient = SecretClient(vault_url="https://kvkkpbedpdev.vault.azure.net/", credential=credentials)
secret = secretClient.get_secret(name = 'st-cs-kkpb-edp-dev')
This function app requires following libraries and defined in requirements.txt file此 function 应用程序需要以下库并在 requirements.txt 文件中定义
azure-functions
azure-keyvault-secrets
azure-identity
This function runs and ends up following exception.此 function 运行并以异常结束。
warn: Function.Tide_GetFiles.User[0]
python | SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python | Traceback (most recent call last):
python | File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 27, in wrapper
python | token = fn(*args, **kwargs)
python | File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/shared_cache.py", line 88, in get_token
python | account = self._get_account(self._username, self._tenant_id)
python | File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 45, in wrapper
python | return fn(*args, **kwargs)
python | File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/shared_token_cache.py", line 166, in _get_account
python | raise CredentialUnavailableError(message=NO_ACCOUNTS)
python | azure.identity._exceptions.CredentialUnavailableError: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python | info: Function.Tide_GetFiles.User[0]
python | DefaultAzureCredential - SharedTokenCacheCredential is unavailab
and error和错误
fail: Function.Tide_GetFiles[3]
python | Executed 'Functions.Tide_GetFiles' (Failed, Id=9d514a1f-aeae-4625-9379-b2f0bc89f38f, Duration=1673ms)
python | Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: Functions.Tide_GetFiles
python | ---> Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException: Result: Failure
python | Exception: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
python | Attempted credentials:
python | EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
python | ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
python | SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
how can I figure this我怎么能想到这个
From the error, it seems managed identity is not applied to your Function app correctly.从错误来看,托管标识似乎未正确应用于您的 Function 应用程序。 You should be able to see that going to the identity blade of Function app.您应该能够看到转到 Function 应用程序的身份刀片。
Additionally, you should add the required access policy (separate from role assignment in access control) (secret get here) to allow the identity (same name as the app) to access keyvault if you are not using the new preview access control.此外,如果您不使用新的预览访问控制,您应该添加所需的访问策略(与访问控制中的角色分配分开)(在此处获取秘密)以允许身份(与应用程序同名)访问 keyvault。 Refer How to set and get secrets from Azure Key Vault with Azure Managed Identities and Python .请参阅如何使用 Azure 托管标识和 Python 从 Azure Key Vault 设置和获取机密。
Using the Azure Portal, go to the Key Vault's access policies, and grant required access to the Key Vault.使用 Azure 门户、go 访问 Key Vault 的访问策略,并授予对 Key Vault 的所需访问权限。
You can also create an Azure service principal either through Azure CLI , PowerShell or the portal and grant it the same access.您还可以通过Azure CLI 、 PowerShell或门户创建 Azure 服务主体,并授予它相同的访问权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.