从应用程序服务到Azure密钥存储库的身份验证失败
我试图使用系统分配的应用程序服务标识从应用程序服务(Web API)向Azure密钥库进行身份验证。在Azure Key Vault中,我创建了一个an access策略,该策略允许应用程序服务访问密钥、机密和证书(稍后将对此进行限制!)。
请注意,使用服务主体对同一个密钥库进行身份验证没有问题,但是使用托管标识的想法当然是为了避免在任何地方存储客户机ID和secret之类的凭据
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync(VaultUrl);
Client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
异常消息:
Parameters: Connection String: [No connection string specified], Resource: https://efipsexternals.vault.azure.net/, Authority: . Exception Message: Tried the following 4 methods to get an access token, but none of them worked.\r\nParameters: Connection String: [No connection string specified], Resource: https://<VAULTNAME>.vault.azure.net/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {\"ExceptionMessage\":\"AADSTS500011: The resource principal named https://<VAULTNAME>.vault.azure.net/ was not found in the tenant named <TENANTID>. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\\r\\nTrace ID: 52674a60-5e9c-432c-b999-e13e326f2000\\r\\nCorrelation ID: b335c7b2-2f38-4cc0-9ec3-6662c7ee5546\\r\\nTimestamp: 2019-10-27 10:58:52Z\",\"ErrorCode\":\"invalid_resource\",\"ServiceErrorCodes\":[\"500011\"],\"StatusCode\":400,\"Message\":null,\"CorrelationId\":\"102c92f1-525a-44ee-a383-d7e40ccd2ed4\"}\r\nParameters: Connection String: [No connection string specified], Resource: https://<VAULTNAME>.vault.azure.net/, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at \"D:\\local\\LocalAppData\\.IdentityService\\AzureServiceAuth\\tokenprovider.json\"\r\nParameters: Connection String: [No connection string specified], Resource: https://<VAULTNAME>.vault.azure.net/, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,\r\noperable program or batch file.\r\n\r\nParameters: Connection String: [No connection string specified], Resource: https://<VAULTNAME>.vault.azure.net/, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. Failed to get user name from the operating system.Inner Exception : The format of the specified domain name is invalid\r\n
共有1个答案
要为azure key vault获取具有托管标识的访问令牌,只需:
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
代码字符串accessToken=await AzureserviceTokenProvider.getAccessStokenAsync(VaultUrl);在这里不是必需的,它应该是问题的根本原因。您可以将keyvault url作为参数传递给它,这在这里是不合适的。访问keyvault API的正确方法是:https://vault.azure.com/。如果要使用这段代码,可以按照以下方式进行:
public static async Task<string> AuthenticationCallback(string authority, string resource, string scope)
{
Console.WriteLine($"authority:{authority}, resource:{resource}, scope:{scope}");
return new AzureServiceTokenProvider().GetAccessTokenAsync(resource).Result;
}
static void Main(string[] args)
{
Console.ReadLine();
string baseUrl = "your keyvault url, for example: https://jackkv.vault.azure.net/";
KeyVaultClient kvc = new KeyVaultClient(AuthenticationCallback);
SecretBundle secret = kvc.GetSecretAsync(baseUrl, "testSecret").Result;
Console.WriteLine(secret.Value);
Console.ReadLine();
}
-
为此挣扎了一天,终于寻求帮助了。我试图使用Azure密钥库在Typescript应用程序中存储一些配置。我在Azure Active Directory中创建了一个服务原则和一个密钥库。在Key Vault中,我进入了角色分配,并给了应用程序角色Key Vault秘密用户(应该提供列表和读取权限)。据我所知,我的应用程序正在成功地进行身份验证,但当它请求一个秘密时,它得到了一个403。我会漏掉哪一
-
我的webapp是用。NET核心并部署在Azure中。我已启用Azure应用程序服务身份验证,并将其配置为使用Azure Active Directory。当我访问webapp时,我确实会被重定向到正确的登录页面。登录后,我可以浏览到endpoint。对我进行身份验证,并查看是否存在针对我的用户的声明。我还可以验证下面的请求标头是否存在值: X-MS-TOKEN-AAD-ID-TOKEN X-MS
-
我在尝试将文件上载到blob存储时遇到此错误。在本地主机上运行和在Azure函数中运行时都会出现错误。 我的连接字符串如下所示:DefaultEndpoint sProtocol=https; AcCountName=xxx; AcCountKey=xxx; Endpoint Suffix=core.windows.net 身份验证信息的格式不正确。检查授权标头的值。时间:2021 10月14日1
-
我在Azure App Service中部署了一个spring boot应用程序,该应用程序使用用户管理的身份访问Azure Key Vault。 我遵循了以下提到的步骤: 创建了用户管理标识 在Azure app Service中部署了spring boot app 通过身份选项将新创建的用户管理身份添加到应用程序服务中 在应用程序服务中IAM的角色分配下添加用户托管标识为所有者角色 创建Azu
-
我试图设置一个Python Azure函数,该函数将使用托管标识从密钥库检索机密。我已经给了我的函数应用程序的托管身份权限,以访问和检索密钥库中的秘密。我已经根据下面的Microsoft文档对Python脚本进行了这样的配置: https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python