如何使用Azure Functions中的Azure Key Vault(v2)

时间:2018-04-14 20:58:51

标签: azure azure-functions

我想使用Azure Functions中的Azure Key Vault(v2);
当我运行本地时,它可以工作,但是当我将此代码发布到Azure时:

try
{
    var vault_url = "https://mykeyvault.vault.azure.net/";
    var azureServiceTokenProvider = new AzureServiceTokenProvider();
    var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback), client);

    fbAppSecret = (await kvClient.GetSecretAsync(vault_url, "facebook-appid-secret-...")).Value;
}
catch (Exception ex)
{
    error = ex.ToString();
}

它提供了一个包含此异常的异常(请检查您是否在具有MSI设置的Azure资源上运行。):

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66ad737e-d8cc-4ab3-abf0-feab50685d13. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66ad737e-d8cc-4ab3-abf0-feab50685d13. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66ad737e-d8cc-4ab3-abf0-feab50685d13. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "D:\local\LocalAppData\.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66ad737e-d8cc-4ab3-abf0-feab50685d13. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
operable program or batch file.


   at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.<GetAccessTokenAsyncImpl>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.Azure.KeyVault.KeyVaultCredential.<PostAuthenticate>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.Azure.KeyVault.KeyVaultCredential.<ProcessHttpRequestAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<GetSecretAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at ApelosUrgentesFunctionApp.MyFunctions.<Run>d__1.MoveNext() in C:\Users\tonyv\source\repos\siteApelosUrgentes\ApelosUrgentesFunctionApp\MyFunctions.cs:line 50

然后我找到了 MSI表示托管服务标识,可以在Azure功能门户上启用:

Managed Service Identity

但启用后,还有另一个异常:

Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Access denied
   at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<GetSecretAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at ApelosUrgentesFunctionApp.MyFunctions.<Run>d__1.MoveNext() in C:\Users\tonyv\source\repos\siteApelosUrgentes\ApelosUrgentesFunctionApp\MyFunctions.cs:line 50

我将Azure Functions App添加为Reader,后来又添加为Owner,但仍然获得

我添加了Azure Functions App作为所有者,但仍然获得

Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Access denied
at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext()

IAM

我还添加了所有访问策略,但仍然获得了拒绝访问

AP AP2

检查了Kudu,AppSettings:

https://myfunctionapp.scm.azurewebsites.net/api/settings 

{"deployment_branch":"master","SCM_TRACE_LEVEL":"1","SCM_COMMAND_IDLE_TIMEOUT":"60","SCM_LOGSTREAM_TIMEOUT":"1800","SCM_BUILD_ARGS":"","aspnet:PortableCompilationOutput":"true","aspnet:PortableCompilationOutputSnapshotType":"Microsoft.Web.Compilation.Snapshots.SnapshotHelper, Microsoft.Web.Compilation.Snapshots, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","aspnet:DisableFcnDaclRead":"true","SCM_GIT_USERNAME":"windowsazure","SCM_GIT_EMAIL":"windowsazure","webpages:Version":"3.0.0.0","webpages:Enabled":"true","webactivator:assembliesToScan":"Kudu.Services.Web","MSDEPLOY_RENAME_LOCKED_FILES":"1","FUNCTIONS_EXTENSION_VERSION":"beta","ScmType":"None","WEBSITE_AUTH_ENABLED":"False","REMOTEDEBUGGINGVERSION":"15.0.26730.8","WEBSITE_DISABLE_MSI":"false","AzureWebJobsDashboard":"DefaultEndpointsProtocol=https;AccountName=functionapp;AccountKey=xQ","WEBSITE_CONTENTAZUREFILECONNECTIONSTRING":"DefaultEndpointsProtocol=https;AccountName=functionapp;AccountKey=xq","WEBSITE_CONTENTSHARE":"apelosurgentesfunctionapp","WEBSITE_SLOT_NAME":"Production","AzureWebJobsStorage":"DefaultEndpointsProtocol=https;AccountName=functionapp;AccountKey=xq","WEBSITE_SITE_NAME":"FunctionApp"}

如何解决这个问题?

4 个答案:

答案 0 :(得分:2)

我在你的照片中找到的一个细节是访问政策,你有&#34; application + application&#34;在您的服务负责人之下。

您是否可以删除服务主体并仅使用服务主体中的应用程序将其添加回来,将授权应用程序留空

如本文所示:

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault#authentication-using-azure-active-directory

当您使用授权应用程序时,对于必须代表已登录用户访问的应用程序,因此代表其自身工作的应用程序无法按预期工作。

答案 1 :(得分:1)

  

为什么它在localhost上开箱即用,但在已发布的版本上我必须遵循所有这些步骤?

您可以参考Azure Services Authentication Extension以获取有关它如何在localhost上运行的更多信息。它使用您的登录帐户,您的帐户可以访问Azure密钥保管库资源。

enter image description here

如果将其发布到Azure功能,则可以使用Azure MSI功能,它将自动注册Azure AD应用程序。然后我们还需要允许权限访问KeyVault。

我也在我这边测试,它工作正常。请确保在您的情况下正确启用了MSI。您可以使用Azure kudu工具检查 MSI_SECRET MSI_ENDPOINT

答案 2 :(得分:1)

请使用AzureServiceTokenProvider的 PrincipalUsed 属性来检查用于进行身份验证的 AppId ,或者换句话说,正在使用的托管服务标识是什么。事实上你得到了“拒绝访问”#34;表示可以获取访问令牌,但MSI无权访问Key Vault。您确实授予了服务主体的访问权限,但很可能不是正确的访问权限。使用 PrincipalUsed 中返回的 AppId 来搜索&#34; Service Principal&#34;使用密钥保管库&#34;访问政策&#34;。

答案 3 :(得分:0)

这是使用Azure Functions的当前简便方法 https://docs.microsoft.com/en-gb/azure/app-service/app-service-key-vault-references

例如特定版本@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)

例如获取最新版本(注意:斜杠!) @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)

相关问题
最新问题