从 Function 应用程序中读取 Azure KeyVault Secret

Question

This Python script is deployed to run from Azure Function App on Linux Consumption plan, This script is expected to read secrets from Azure Key Vault.

除代码部署外，还进行以下配置

1.)为 Azure Function 应用启用系统分配的托管访问

2.) Azure Key Vault 的角色分配参考此 Function 应用程序，具有 >Reader 角色。

这是来自 > > > init.py的脚本

def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')
    # Get url and filename from postman by using POST method
    #identity = ManagedIdentityCredential()
    credentials = DefaultAzureCredential()
    secretClient = SecretClient(vault_url="https://kvkkpbedpdev.vault.azure.net/", credential=credentials)
    secret = secretClient.get_secret(name = 'st-cs-kkpb-edp-dev')

此 function 应用程序需要以下库并在 requirements.txt 文件中定义

azure-functions
azure-keyvault-secrets
azure-identity

此 function 运行并以异常结束。

warn: Function.Tide_GetFiles.User[0]
python                   |       SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python                   |       Traceback (most recent call last):
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 27, in wrapper
python                   |           token = fn(*args, **kwargs)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/shared_cache.py", line 88, in get_token
python                   |           account = self._get_account(self._username, self._tenant_id)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 45, in wrapper
python                   |           return fn(*args, **kwargs)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/shared_token_cache.py", line 166, in _get_account
python                   |           raise CredentialUnavailableError(message=NO_ACCOUNTS)
python                   |       azure.identity._exceptions.CredentialUnavailableError: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python                   | info: Function.Tide_GetFiles.User[0]
python                   |       DefaultAzureCredential - SharedTokenCacheCredential is unavailab

和错误

 fail: Function.Tide_GetFiles[3]
python                   |       Executed 'Functions.Tide_GetFiles' (Failed, Id=9d514a1f-aeae-4625-9379-b2f0bc89f38f, Duration=1673ms)
python                   | Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: Functions.Tide_GetFiles
python                   |  ---> Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException: Result: Failure
python                   | Exception: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
python                   | Attempted credentials:
python                   |      EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
python                   |      ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
python                   |      SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.

我怎么能想到这个

Answer 1

从错误来看，托管标识似乎未正确应用于您的 Function 应用程序。 您应该能够看到转到 Function 应用程序的身份刀片。

此外，如果您不使用新的预览访问控制，您应该添加所需的访问策略（与访问控制中的角色分配分开）（在此处获取秘密）以允许身份（与应用程序同名）访问 keyvault。 请参阅如何使用 Azure 托管标识和 Python 从 Azure Key Vault 设置和获取机密。

使用 Azure 门户、go 访问 Key Vault 的访问策略，并授予对 Key Vault 的所需访问权限。

1. 在 Azure 门户的“搜索资源”对话框中搜索您的 Key Vault。
2. Select“概述”，然后单击访问策略
3. 点击“添加访问策略”，select 需要权限。
4. 点击“选择校长”，添加您的帐户
5. 保存访问策略

您还可以通过Azure CLI 、 PowerShell或门户创建 Azure 服务主体，并授予它相同的访问权限。