stackoom
  简体   繁体   中英

Access CosmosDB Data from Azure App Service by using managed identity (Failed)

 原文  2023-01-18 09:12:29       python/ terraform/ azure-web-app-service/ azure-cosmosdb/ azure-managed-identity

Question

A FastAPI-based API written in Python has been deployed as an Azure App Service. The API needs to read and write data from CosmosDB, and I attempted to use Managed Identity for this purpose, but encountered an error, stating Unrecognized credential type

These are the key steps that I took towards that goal

Step One : I used Terraform to configure the managed identity for Azure App Service, and assigned the 'contributor' role to the identity so that it can access and write data to CosmosDB. The role assignment was carried out in the file where the Azure App Service is provisioned.

  resource "azurerm_linux_web_app" "this" {
  name     = var.appname
  location = var.location
  resource_group_name = var.rg_name
  service_plan_id = azurerm_service_plan.this.id


  app_settings = {
    "PROD"                               = false
    "DOCKER_ENABLE_CI"                   = true
    "DOCKER_REGISTRY_SERVER_URL"         = data.azurerm_container_registry.this.login_server
    "WEBSITE_HTTPLOGGING_RETENTION_DAYS" = "30"
    "WEBSITE_ENABLE_APP_SERVICE_STORAGE" = false
  }

  lifecycle {
    ignore_changes = [
      app_settings["WEBSITE_HTTPLOGGING_RETENTION_DAYS"]
    ]
  }

  https_only = true
  
  identity {
    type = "SystemAssigned"
  }

data "azurerm_cosmosdb_account" "this" {
  name                = var.cosmosdb_account_name
  resource_group_name = var.cosmosdb_resource_group_name
}

// built-in role that allow the app-service to read and write to an Azure Cosmos DB
resource "azurerm_role_assignment" "cosmosdbContributor" {
  scope              = data.azurerm_cosmosdb_account.this.id
  principal_id       = azurerm_linux_web_app.this.identity.0.principal_id
  role_definition_name = "Contributor"
}

Step Two : I used the managed identity library to fetch the necessary credentials in the Python code.

from azure.identity import ManagedIdentityCredential
from azure.cosmos.cosmos_client import CosmosClient
client = CosmosClient(get_endpoint(),credential=ManagedIdentityCredential())
client = self._get_or_create_client()
database = client.get_database_client(DB_NAME)
container = database.get_container_client(CONTAINER_NAME)
container.query_items(query)

I received the following error when running the code locally and from Azure (the error can be viewed from the Log stream of the Azure App Service):

raise TypeError(
TypeError: Unrecognized credential type. Please supply the master key as str, or a dictionary or resource tokens, or a list of permissions.

Any help or discussion is welcome

1 answers

solution1
 0  2023-01-18 13:23:54

If you are using the Python SDK, you can directly do this,check the sample here

aad_credentials = ClientSecretCredential(
    tenant_id="<azure-ad-tenant-id>",
    client_id="<client-application-id>",
    client_secret="<client-application-secret>")
client = CosmosClient("<account-endpoint>", aad_credentials)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Call Graph from Azure App Service using Managed Identity MassTransit: Cannot access Azure Service Bus using managed Identity Connect Azure CosmosDB using Managed Identities from Azure Function App both locally and on Azure Using a managed identity with Azure Service Bus Unable to post message to Azure Service Bus Queue from Azure API using Managed Identity Azure AKS/Container App can't access Key vault using managed identity Logic App query Azure Table using HTTP and Managed Identity authentication Run Get-AzADApplication from an Azure Runbook using a Managed Identity Accessing Azure Storage from VM using Managed Identity Azure managed identity for Azure service bus with java sdk
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM