gpt4 book ai didi

c# - 具有用户分配的托管标识的 Azure 应用服务使应用程序崩溃

转载 作者:行者123 更新时间:2023-12-02 07:44:39 29 4
gpt4 key购买 nike

我有一个 VMSS 和多个应用服务,我想使用相同的用户分配的托管服务标识。对于 VMSS,我可以分配身份并使用它通过以下代码从 Azure Key Vault 检索 secret :

var client = new SecretClient(new Uri(KeyVault), new DefaultAzureCredential());
var secret = client.GetSecret("secret-name");

AppServices 使用 ASP.NET Core 3.1,因此 the recommended way访问 Key Vault secret 的方法是:

var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;AppId={client id for the user-assigned managed identity elided}");
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
config.AddAzureKeyVault("https://{my vault name}.vault.azure.net/", keyVaultClient, new DefaultKeyVaultSecretManager());

请注意,连接字符串源自 this documentation 中的“Azure 资源的用户分配标识”方案。 .

上面的代码片段抛出以下异常:

2020-08-27T02:06:18.409648197Z Unhandled exception. System.ArgumentException: Connection string RunAs=App;AppId={client id ellided} is not valid. Must contain 'TenantId' attribute and it must not be empty.2020-08-27T02:06:18.409681697Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.ValidateAttribute(Dictionary`2 connectionSettings, String attribute, String connectionString)2020-08-27T02:06:18.409688597Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.Create(String connectionString, String azureAdInstance)2020-08-27T02:06:18.409693297Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider..ctor(String connectionString, String azureAdInstance)2020-08-27T02:06:18.409697797Z at API.Program.<>c.b__1_0(HostBuilderContext context, IConfigurationBuilder config) in /tmp/8d84a2d16145d21/API/Program.cs:line 252020-08-27T02:06:18.409703497Z at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration()2020-08-27T02:06:18.409707797Z at Microsoft.Extensions.Hosting.HostBuilder.Build()

当我按要求添加“TenantId”时,消息更改为:

Unhandled exception. System.ArgumentException: Connection string RunAs=App;AppId={client id elided};TenantId={tenant id elided} is not valid. Must contain at least one of CertificateStoreLocation or AppKey attributes.

托管标识没有证书,我尝试使用 MSI 来避免向代码或应用程序设置添加 secret 。

我尝试根据“Azure 资源的托管身份”方案删除连接字符串的“AppId”和“TenantId”部分,这会导致以下异常:

Unhandled exception. Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: RunAs=App, Resource: https://vault.azure.net, Authority: https://login.windows.net/b905ac32-5779-4bab-ac34-a8445e89f9e4. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. MSI ResponseCode: BadRequest, Response: {"statusCode":400,"message":"Unable to load requested managed identity.","correlationId":"c8409322-357a-49d0-9686-453fb37cc4b4"}

我认为它正在尝试加载不存在的系统分配的身份。我已确认通过 Kudu 控制台为 (Linux) WebApp 实例配置了托管身份:

  Kudu Remote Execution Console Type 'exit' to reset this console.
/home>env
MSI_ENDPOINT=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
IDENTITY_ENDPOINT=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
IDENTITY_HEADER=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
MSI_SECRET=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]

MSI+AppService+Linux、文档或两者、代码示例、配置或我的代码是否存在问题?

最佳答案

注意:不再建议将 Microsoft.Azure.Services.AppAuthentication 与新的 Key Vault SDK 一起使用。它被新的 Azure Identity 库 DefaultAzureCredentials 取代,可用于 .NET、Java、TypeScript 和 Python,并且应该用于所有新开发。更多信息可以在这里找到:Authentication and the Azure SDK .

您发布的 VMSS 代码使用新的 KeyVault SDK,这很好。

但是对于应用服务,由于您仍然使用旧版 SDK(假设通过查看您的代码),请检查您是否拥有最新的稳定 nuget Microsoft.Azure.Services.AppAuthentication明确添加到您的项目中(假设您现在继续使用旧版 SDK)。

此外,我希望您已经在应用服务边栏选项卡中添加了用户分配的身份。

enter image description here

关于c# - 具有用户分配的托管标识的 Azure 应用服务使应用程序崩溃,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63608985/

29 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com