Azure 函数 key 保管库

Question

据我了解，只要我设置了对 KeyVault 的授权，我的函数就应该能够使用它来读取

@Microsoft.KeyVault(SecretUri=MYSECRETFULLURL)，我认为这会在运行时进行转换？

知道如何调试这个吗？

目前，正如我的功能所示，就是上面的内容，没有任何转换。

作为系统管理运行。

如果我调试，这就是我得到的:

但是，我可以看到我对 azure key Vault 的审核已被命中。

 public static async Task<IActionResult> Run(
            [HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
            ILogger log)
        {
            var accountToMoveFrom = System.Environment.GetEnvironmentVariable("accountToMonitor");
            log.LogCritical(accountToMoveFrom);
            var accessToken = System.Environment.GetEnvironmentVariable("accessToken");

}

Answer 1

添加最终分辨率:

确保您没有配置“授权应用程序”或 applicationId 设置。

From the documentation

在 Key Vault 中为您之前创建的应用程序标识创建访问策略。对此策略启用“获取” secret 权限。 请勿配置“授权应用程序”或 applicationId 设置，因为这与托管身份不兼容。

Note: Does your code actually work? Logging the value of a key is intercepted and is displayed as

@Microsoft.KeyVault(SecretUri=MYSECRETFULLURL) 

in logs to avoid sensitive configuration from KeyVault ending up inlog files that may reach a wider audience.

工作正常as per the docs (摘录如下)，还要仔细检查您是否有:

• 在函数应用上配置的托管服务身份 (MSI)
• 添加函数应用设置后重新启动函数应用
• 该函数的 MSI 有权访问相关 KeyVault，不是管理层面，而是访问策略。

• 如果您在 Visual Studio 中本地运行/调试，则需要为登录到 Visual Studio 的帐户授予 Key Vault 的权限，因为它是所显示的身份。

Sourcing Application Settings from Key Vault The Key Vault references feature makes it so that your app can work as if it wereusing App Settings as they have been, meaning no code changes arerequired. You can get all of the details from our Key Vault referencedocumentation, but I’ll outline the basics here.

This feature requires a system-assigned managed identity for your app.Later in this post I’ll be talking about user-assigned identities, butwe’re keeping these previews separate for now.

You’ll then need to configure an access policy on your Key Vault whichgives your application the GET permission for secrets. Learn how toconfigure an access policy.

Lastly, set the value of any application setting to a reference of thefollowing format:

@Microsoft.KeyVault(SecretUri=secret_uri_with_version)

Where secret_uri_with_version is the full URI for a secret in KeyVault. For example, this would be something like:https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931