我有一个钥匙库,里面有我的秘密。我有一个具有系统分配身份的 Azure 函数应用程序,该身份对此 keyvault 具有“获取”秘密访问权限。
下面是我的功能代码
import logging
import json
import azure.functions as func
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
app = func.FunctionApp(http_auth_level=func.AuthLevel.FUNCTION)
@app.route(route="http_trigger")
def http_trigger(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
# Get a credential object using Managed Identity
credential = DefaultAzureCredential()
# Create a SecretClient using the Key Vault URL and credential
vault_url = "https://xxxx.vault.azure.net/"
secret_client = SecretClient(vault_url=vault_url, credential=credential)
# Retrieve the secret from Key Vault
try:
secret_value = secret_client.get_secret("xxxx").value
response_message = {"message": f"Secret retrieved from Key Vault: {secret_value}"}
return func.HttpResponse(json.dumps(response_message), mimetype="application/json")
except Exception as e:
response_message = {"error": str(e)}
return func.HttpResponse(json.dumps(response_message), status_code=500, mimetype="application/json")
{
"error": "(Forbidden) Client address is not authorized and caller is not a trusted service.\r\nClient address: 51.xx.xx.46\r\nCaller:....Code: Forbidden\nMessage: Client address is not authorized and caller is not a trusted service.\r\nClient address: 51.xx.xx.46\r\nCaller: ..Inner error: {\n \"code\": \"ForbiddenByFirewall\"\n}"
}
@Daredevil 感谢您的评论。
我遇到了以下相同的错误:
注意:
确保在防火墙设置中添加上述IP地址。
我将上述 IP 地址添加到 Key Vault 防火墙设置中,如下所示:
代码:
import logging
import json
import azure.functions as func
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
app = func.FunctionApp(http_auth_level=func.AuthLevel.FUNCTION)
@app.route(route="http_trigger")
def http_trigger(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
credential = DefaultAzureCredential()
vault_url = "https://<keyvault_name>.vault.azure.net/"
secret_client = SecretClient(vault_url=vault_url, credential=credential)
try:
secret_value = secret_client.get_secret("<secret_name>").value
response_message = {"message": f"Secret retrieved from Key Vault: {secret_value}"}
return func.HttpResponse(json.dumps(response_message), mimetype="application/json")
except Exception as e:
response_message = {"error": str(e)}
return func.HttpResponse(json.dumps(response_message), status_code=500, mimetype="application/json")
要求.txt:
azure-functions
azure-identity
azure-keyvault-secrets
输出:
运行成功如下,
浏览器输出:
然后,我将上面的代码部署到函数应用程序中,如下所示:
Azure 门户:
我将上面的IP地址添加到下面的密钥库中,
Azure 门户输出:
它成功运行并从密钥库中检索了秘密,如下所示。