DefaultAzureCredential引发未知错误

时间:2020-10-16 16:41:51

标签: azure

我正在尝试设置一个Azure Webapp服务(使用docker)来使用用户管理的身份访问我的密钥库。我已经设置了一个用户管理的身份,将其分配给我的web应用程序,并为其提供了在我对其进行测试的密钥库中所需的访问策略(请参见下面的缩写设置)。

在webapp应用程序设置中,我包括了AZURE_CLIENT_ID的设置,该设置已设置为用户管理的身份的客户端ID,并将其注入环境变量中。

我的应用是节点,我正在使用@ azure / identity npm软件包中的DefaultAzureCredential:

const credential = new DefaultAzureCredential();

我也尝试过:

const credential = new DefaultAzureCredential({managedIdentityClientId: '27455443-73e6-4386-aef2-05c8be5586af'});

从我可以看到的所有内容来看,它应该可以正常工作,但是我总是会收到以下错误消息: 

AuthenticationError: ManagedIdentityCredential authentication failed.(status code 400).
More details:
unknown_error(status code 400).
More details:
An unknown error occurred and no additional details are available.
    at ManagedIdentityCredential.<anonymous> (/usr/src/app/node_modules/@azure/identity/dist/index.js:1077:23)
    at Generator.throw (<anonymous>)
    at rejected (/usr/src/app/node_modules/tslib/tslib.js:112:69)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)

任何建议将不胜感激。

应用程序服务标识设置(缩写):

            "identity": {
                "type": "UserAssigned",
                "userAssignedIdentities": {
                    "/subscriptions/f3f6b1b3-6e32-4fe1-ac75-41f1b2c8731f/resourcegroups/keyVaultAccess/providers/Microsoft.ManagedIdentity/userAssignedIdentities/accesstokeyvault": {
                        "principalId": "46eeaff7-d686-4a07-8471-90a6f892a1b4",
                        "clientId": "27455443-73e6-4386-aef2-05c8be5586af"
                    }
                }
            },

密钥库访问策略(缩写):

                    {
                        "tenantId": "26332e31-5b20-48a7-b449-cdae84c6c7df",
                        "objectId": "46eeaff7-d686-4a07-8471-90a6f892a1b4",
                        "permissions": {
                            "keys": [
                                "Get",
                                "List",
                                "Update",
                                "Create",
                                "Import",
                                "Delete",
                                "Recover",
                                "Backup",
                                "Restore"
                            ],
                            "secrets": [
                                "Get",
                                "List",
                                "Set",
                                "Delete",
                                "Recover",
                                "Backup",
                                "Restore"
                            ],
                            "certificates": [
                                "Get",
                                "List",
                                "Update",
                                "Create",
                                "Import",
                                "Delete",
                                "Recover",
                                "Backup",
                                "Restore",
                                "ManageContacts",
                                "ManageIssuers",
                                "GetIssuers",
                                "ListIssuers",
                                "SetIssuers",
                                "DeleteIssuers"
                            ]
                        }
                    },

用户管理的身份:

    "contentVersion": "1.0.0.0",
    "parameters": {
        "userAssignedIdentities_accesstokeyvault_name": {
            "defaultValue": "accesstokeyvault",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
            "apiVersion": "2018-11-30",
            "name": "[parameters('userAssignedIdentities_accesstokeyvault_name')]",
            "location": "westus"
        }
    ]
}

1 个答案:

答案 0 :(得分:0)

我可能已经想通了。我没有在函数中使用 managedIdentityClientId,而是将环境变量 AZURE_CLIENT_ID 设置为我的用户托管标识的客户端 ID,这似乎有效。

我有一段时间没有研究这个,所以不能确定是什么修复了它,但如果你遇到这个问题,它可能是你想要尝试的东西。

相关问题
最新问题