在 Azure VM 上运行的 Docker 容器中使用 Azure 托管标识
[英]Using Azure Managed Identity in a Docker container running on an Azure VM
问题描述
I have a problem in which I cannot reach my company's Container registry via Azure Container Instances and Azure Container Apps, which has to do with .NET's and a private link to the company's registry, and the fact that dynamically launched containers can't be linked.
我有一个问题,我无法通过 Azure 容器实例和 Azure 容器应用程序访问我公司的容器注册表,这与 .NET 和公司注册表的私有链接有关,而且无法链接动态启动的容器. Eventually I want to go to Kube.netes as a platform for my batch job workloads, but right now I have to find a quick solution that makes it able to have at least one container running, and maybe manually scale these when necessary (one is probably enough most of the times).最终我想 go 到 Kube.netes 作为我的批处理作业工作负载的平台,但现在我必须找到一个快速的解决方案,让它能够至少运行一个容器,并且可能在必要时手动扩展这些容器(一个是大多数时候可能就足够了)。
Right now, the way I am aiming to achieve this is by simply launching a VM (and maybe a couple more when necessary) and running a docker container on this VM with the (Python) application code.现在,我旨在实现这一目标的方法是通过简单地启动一个 VM(必要时可能还有几个)并使用(Python)应用程序代码在此 VM 上运行一个 docker 容器。
Now I'm wondering if, and if yes how, the Docker container can use a (either system/user assigned) managed identity assigned to the VM.现在我想知道 Docker 容器是否以及如何使用分配给 VM 的(系统/用户分配的)托管标识。 When assigned to an ACI container with a user managed identity assigned to it on startup, I could easily just have code like:当分配给 ACI 容器并在启动时分配给它一个用户管理的身份时,我可以很容易地只使用如下代码:
default_credential = DefaultAzureCredential()
q_client = QueueClient(
credential=default_credential,
queue_name='Queuename',
accounrt_url='someurl'
)
and be able to access - for instance - this queue.并且能够访问 - 例如 - 这个队列。 No need to request any kind of token, no need to specify any kind of environment variable.无需请求任何类型的令牌,无需指定任何类型的环境变量。
Now I doubt this will work in a docker container running in a VM with a user identity assigned to it, since the user identity is not really assigned directly to the docker container.现在我怀疑这是否会在 docker 容器中运行,该容器在分配有用户身份的 VM 中运行,因为用户身份并未真正直接分配给 docker 容器。 Is there any way to still achieve this or is this a fools errand and should I just work with environment variables for now?有什么办法仍然可以实现这一点,或者这是一个愚蠢的差事,我现在应该只使用环境变量吗? I don't really like the idea of the latter, but I haven't found a way to use managed identities this particular way.我不太喜欢后者的想法,但我还没有找到以这种特殊方式使用托管身份的方法。
2 个解决方案
解决方案1
1 已采纳 2022-06-15 14:08:48
• Yes, there is a way through which you can use the managed identity assigned to the VM on the docker container deployed on it. • 是的,您可以通过一种方式使用分配给部署在其上的 docker 容器上的 VM 的托管标识。 Kindly follow the steps given below and you can surely use the managed identity assigned to the VM in the docker container: -请按照下面给出的步骤进行操作,您肯定可以在 docker 容器中使用分配给 VM 的托管标识:-
a) Thus, to get an access token to authenticate a request to an Azure resource using a managed identity, you have to call a special URL: - https://169.254.169.254/metadata/identity/oauth2/token . Also, to ensure that the authentication token and regarding networking works in a container, you will have to use a tool which is intended to be run as Windows service on the container host and uses file-based communication to wait for requests by monitoring a folder. The container puts a request file in that folder, the service requests a token and responds to the container with a response file a) 因此,要get an access token to authenticate a request to an Azure resource using a managed identity, you have to call a special URL: - https://169.254.169.254/metadata/identity/oauth2/token . Also, to ensure that the authentication token and regarding networking works in a container, you will have to use a tool which is intended to be run as Windows service on the container host and uses file-based communication to wait for requests by monitoring a folder. The container puts a request file in that folder, the service requests a token and responds to the container with a response file get an access token to authenticate a request to an Azure resource using a managed identity, you have to call a special URL: - https://169.254.169.254/metadata/identity/oauth2/token . Also, to ensure that the authentication token and regarding networking works in a container, you will have to use a tool which is intended to be run as Windows service on the container host and uses file-based communication to wait for requests by monitoring a folder. The container puts a request file in that folder, the service requests a token and responds to the container with a response file get an access token to authenticate a request to an Azure resource using a managed identity, you have to call a special URL: - https://169.254.169.254/metadata/identity/oauth2/token . Also, to ensure that the authentication token and regarding networking works in a container, you will have to use a tool which is intended to be run as Windows service on the container host and uses file-based communication to wait for requests by monitoring a folder. The container puts a request file in that folder, the service requests a token and responds to the container with a response file . get an access token to authenticate a request to an Azure resource using a managed identity, you have to call a special URL: - https://169.254.169.254/metadata/identity/oauth2/token . Also, to ensure that the authentication token and regarding networking works in a container, you will have to use a tool which is intended to be run as Windows service on the container host and uses file-based communication to wait for requests by monitoring a folder. The container puts a request file in that folder, the service requests a token and responds to the container with a response file 。 The container can then use that token to authenticate against whatever Azure resource you need.然后,容器可以使用该令牌对您需要的任何 Azure 资源进行身份验证。
b) To do the above, you will have to deploy a VM in Azure and connect to it through RDP, then execute the command below to start a container: - b) 要执行上述操作,您必须在 Azure 中部署 VM 并通过 RDP 连接到它,然后执行以下命令以启动容器:-
docker run -ti -v c:\miat-helper:c:\miat-helper mcr.microsoft.com/powershell:6.2.3-nanoserver-1809
With the below command, you will get a PowerShell session inside of the container where you can use the 'helper' tool to get an access token .使用以下命令,您将在容器内获得一个 PowerShell 会话,您可以在其中使用“帮助器”工具获取访问令牌。
$access_token = Invoke-Expression "c:\miat-helper\bin\client.exe --folder c:\miat-helper --resource https://management.azure.com/"
c) You can call an Azure API using that access token . c) 您可以使用该访问令牌调用 Azure API 。 Thus, to get more information about the VM generated, ensure to replace the resource group name and the virtual machine name with your values as below: -因此,要获取有关生成的 VM 的更多信息,请确保将资源组名称和虚拟机名称替换为您的值,如下所示:-
$vmInfo = (Invoke-WebRequest -Uri 'https://management.azure.com/subscriptions/ 94670b10-08d0-4d17-bcfe-e01f701be9ff/resourceGroups/<resource group name>/providers/Microsoft.Compute/ virtualMachines/<virtual machine name>?api-version=2017-12-01' -Method GET -ContentType "application/json" -Headers @{ Authorization ="Bearer $access_token"}).content
Write-Host $vmInfo
The above execution of commands should give you the necessary tools to cleanly handle authentication against Azure resources from a container.上述命令的执行应该为你提供了必要的工具来干净地处理来自容器的 Azure 资源的身份验证。 Also, then assign a managed identity to the VM during ARM template deployment and assign a role to that managed identity to allow read access to the VM .此外,然后在 ARM 模板部署期间将托管标识分配给 VM,并将角色分配给该托管标识以允许对 VM 进行读取访问。 Once these things are done, you make a 'GET' request to the token endpoint from the VM and you get an access token. Then, the helper tool will run as a Windows service and is configured to listen on a particular folder post which the client creates a '.request' file in that folder with the targeted resource as content完成这些操作后, you make a 'GET' request to the token endpoint from the VM and you get an access token. Then, the helper tool will run as a Windows service and is configured to listen on a particular folder post which the client creates a '.request' file in that folder with the targeted resource as content you make a 'GET' request to the token endpoint from the VM and you get an access token. Then, the helper tool will run as a Windows service and is configured to listen on a particular folder post which the client creates a '.request' file in that folder with the targeted resource as content . you make a 'GET' request to the token endpoint from the VM and you get an access token. Then, the helper tool will run as a Windows service and is configured to listen on a particular folder post which the client creates a '.request' file in that folder with the targeted resource as content 。
d) Then 'helper' service is notified through an event which reads the file and requests the token upon which the response file is created in the same class and writes the token to the file . d) 然后通过读取文件并请求在同一类中创建响应文件的令牌并将令牌写入文件的事件通知“助手”服务。 The client then picks the response file, reads the token, and writes it to the standard output .然后客户端选择响应文件,读取令牌,并将其写入标准输出。 In this way, we can think of anything better with the same very low amount of setup and high stability.通过这种方式,我们可以在同样非常少的设置和高稳定性的情况下想出更好的东西。
For more detailed information on this, kindly refer to the link below: -有关这方面的更多详细信息,请参阅以下链接:-
https://tobiasfenster.io/using-azure-managed-identities-in-containers https://tobiasfenster.io/using-azure-managed-identities-in-containers
解决方案2
0 2023-01-13 15:00:36
I stumbled over this because og the original Question " Using Azure Managed Identity in a Docker container running on an Azure VM "我无意中发现了这个问题,因为原始问题“在 Azure VM 上运行的 Docker 容器中使用 Azure 托管身份”
Here is how I did exactly this.这就是我的做法。
Prerequisits:先决条件:
- Azure VM with linux and docker on it Azure VM,上面有 linux 和 docker
- The VM has a managed identity asigned to it VM 具有分配给它的托管标识
Start the azure cli in docker. Host.network is important, because we need to reach the local endpoint provided by Azure .在 docker 中启动 azure cli。Host.network 很重要,因为我们需要到达Azure 提供的本地端点。
docker run --network host -it mcr.microsoft.com/azure-cli
Inside the container you can now run:在容器内,您现在可以运行:
az login --identity
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.