從 Function 應用程序中讀取 Azure KeyVault Secret

Question

This Python script is deployed to run from Azure Function App on Linux Consumption plan, This script is expected to read secrets from Azure Key Vault.

除代碼部署外，還進行以下配置

1.)為 Azure Function 應用啟用系統分配的托管訪問

2.) Azure Key Vault 的角色分配參考此 Function 應用程序，具有 >Reader 角色。

這是來自 > > > init.py的腳本

def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')
    # Get url and filename from postman by using POST method
    #identity = ManagedIdentityCredential()
    credentials = DefaultAzureCredential()
    secretClient = SecretClient(vault_url="https://kvkkpbedpdev.vault.azure.net/", credential=credentials)
    secret = secretClient.get_secret(name = 'st-cs-kkpb-edp-dev')

此 function 應用程序需要以下庫並在 requirements.txt 文件中定義

azure-functions
azure-keyvault-secrets
azure-identity

此 function 運行並以異常結束。

warn: Function.Tide_GetFiles.User[0]
python                   |       SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python                   |       Traceback (most recent call last):
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 27, in wrapper
python                   |           token = fn(*args, **kwargs)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/shared_cache.py", line 88, in get_token
python                   |           account = self._get_account(self._username, self._tenant_id)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 45, in wrapper
python                   |           return fn(*args, **kwargs)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/shared_token_cache.py", line 166, in _get_account
python                   |           raise CredentialUnavailableError(message=NO_ACCOUNTS)
python                   |       azure.identity._exceptions.CredentialUnavailableError: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python                   | info: Function.Tide_GetFiles.User[0]
python                   |       DefaultAzureCredential - SharedTokenCacheCredential is unavailab

和錯誤

 fail: Function.Tide_GetFiles[3]
python                   |       Executed 'Functions.Tide_GetFiles' (Failed, Id=9d514a1f-aeae-4625-9379-b2f0bc89f38f, Duration=1673ms)
python                   | Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: Functions.Tide_GetFiles
python                   |  ---> Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException: Result: Failure
python                   | Exception: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
python                   | Attempted credentials:
python                   |      EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
python                   |      ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
python                   |      SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.

我怎么能想到這個

Answer 1

從錯誤來看，托管標識似乎未正確應用於您的 Function 應用程序。 您應該能夠看到轉到 Function 應用程序的身份刀片。

此外，如果您不使用新的預覽訪問控制，您應該添加所需的訪問策略（與訪問控制中的角色分配分開）（在此處獲取秘密）以允許身份（與應用程序同名）訪問 keyvault。 請參閱如何使用 Azure 托管標識和 Python 從 Azure Key Vault 設置和獲取機密。

使用 Azure 門戶、go 訪問 Key Vault 的訪問策略，並授予對 Key Vault 的所需訪問權限。

1. 在 Azure 門戶的“搜索資源”對話框中搜索您的 Key Vault。
2. Select“概述”，然后單擊訪問策略
3. 點擊“添加訪問策略”，select 需要權限。
4. 點擊“選擇校長”，添加您的帳戶
5. 保存訪問策略

您還可以通過Azure CLI 、 PowerShell或門戶創建 Azure 服務主體，並授予它相同的訪問權限。