[英]Using Azure managed identity for App Service not authorising for new SDK
我们已经成功使用Microsoft.Azure.KeyVault
一段时间了。 使用我们的 WebApps 和 AD 组中的托管标识来授予对密钥保管库的访问权限。
我已经更新了几个应用程序以使用Azure.Identity
package 和 .Net Framework 应用程序继续运行,但 .Net Core 3.1 应用程序现在似乎没有获取凭据。
如果我添加与 RBAC 生成的服务原则相对应的显式AZURE_CLIENT_ID
、 AZURE_CLIENT_SECRET
和AZURE_TENENT_ID
,则一切正常。 不过,我不想这样做,并且更喜欢使用托管标识(没有浮动配置)。
这些是我现在引用的包:
<PackageReference Include="Azure.Identity" Version="1.1.1" />
<PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.0.3" />
这是构造代码:
new SecretClient("name-of-vault", new DefaultAzureCredential());
所以没什么花哨的。
这是堆栈跟踪:
---> Azure.Identity.AuthenticationFailedException:DefaultAzureCredential 身份验证失败。 ---> Azure.Identity.AuthenticationFailedException:无效响应,身份验证响应不是预期的格式。 at Azure.Identity.ManagedIdentityClient.Deserialize(JsonElement json) at Azure.Identity.ManagedIdentityClient.DeserializeAsync(Stream content, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(String[] scopes, CancellationToken cancellationToken) at Azure.Identity.ManagedIdentityCredential .GetTokenImplAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) --- End of inner exception stack trace --- at Azure.Identity.DefaultAzureCredential.GetTokenAsync(Boolean isAsync, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext , CancellationToken cancelToken) 在 Azure.Security.KeyVault.ChallengeBasedAuthenticatio nPolicy.AuthenticateRequestAsync(HttpMessage message, Boolean async, AuthenticationChallenge challenge) at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.ProcessCoreAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync (HttpMessage 消息,ReadOnlyMemory1 管道)在 Azure.Core.Pipeline.Http Pipeline.SendRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func1 resultFactory, CancellationToken cancellationToken,字符串 [] 路径)在 Codat.Infrastructure.SecretsProvider.SecretsProvider.<>c__DisplayClass18_0.d.MoveNext() 的 Azure.Security.KeyVault.Secrets.SecretClient.GetSecretAsync(字符串名称,字符串版本,CancellationToken cancelToken)
似乎应用服务实例中的 MSI 服务返回了无效的DateTimeOffset
格式。
要求:
$response = Invoke-WebRequest -Uri 'http://127.0.0.1:41601/MSI/token/?api-version=2017-09-01&resource=https://vault.azure.net' -Method GET -Headers @{Metadata="true";Secret="REDACTED"} -UseBasicParsing
回复:
StatusCode : 200
StatusDescription : OK
Content : {123, 34, 97, 99...}
RawContent : HTTP/1.1 200 OK
Content-Length: 1698
Date: Mon, 22 Jun 2020 09:26:44 GMT
{"access_token":"REDACTED...
Headers : {[Content-Length, 1698], [Date, Mon, 22 Jun 2020 09:26:44
GMT]}
RawContentLength : 1698
{
"access_token": "REDACTED",
"expires_on": "6/23/2020 9:28:43 AM +00:00",
"resource": "https://vault.azure.net",
"token_type": "Bearer",
"client_id": "E7B39A52-REDACTED"
}
ManagedIdentityClient
无法解析格式"M/d/yyyy H:m:s tt K"
。 因此,该错误似乎在底层 azure 服务中。 我向https://github.com/Azure/azure-sdk-for-net/issues/12869团队提出了一个问题,它已在 1.2.0-preview-4 中修复。
不应该是这样吗?
var sc = new SecretClient(new Uri("https://<YOUR-KEY-VAULT>.vault.azure.net/"), new DefaultAzureCredential());
Secret1 = sc.GetSecret(nameof("name-of-vault")).Value;
尝试直接使用ManagedIdentityCredential
:
new SecretClient(new Uri(kvUri), new ManagedIdentityCredential());
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.