Azure 功能：尝试访问 Azure Key Vault 时，客户端地址未经授权且调用者不是受信任的服务

Question

我有一个钥匙库，里面有我的秘密。我有一个具有系统分配身份的 Azure 函数应用程序，该身份对此 keyvault 具有“获取”秘密访问权限。

下面是我的功能代码

import logging
import json
import azure.functions as func
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

app = func.FunctionApp(http_auth_level=func.AuthLevel.FUNCTION)

@app.route(route="http_trigger")
def http_trigger(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    # Get a credential object using Managed Identity
    credential = DefaultAzureCredential()

    # Create a SecretClient using the Key Vault URL and credential
    vault_url = "https://xxxx.vault.azure.net/"
    secret_client = SecretClient(vault_url=vault_url, credential=credential)

    # Retrieve the secret from Key Vault
    try:
        secret_value = secret_client.get_secret("xxxx").value
        response_message = {"message": f"Secret retrieved from Key Vault: {secret_value}"}
        return func.HttpResponse(json.dumps(response_message), mimetype="application/json")
    except Exception as e:
        response_message = {"error": str(e)}
        return func.HttpResponse(json.dumps(response_message), status_code=500, mimetype="application/json")

下面是 keyvault 上的防火墙配置

{
"error": "(Forbidden) Client address is not authorized and caller is not a trusted service.\r\nClient address: 51.xx.xx.46\r\nCaller:....Code: Forbidden\nMessage: Client address is not authorized and caller is not a trusted service.\r\nClient address: 51.xx.xx.46\r\nCaller: ..Inner error: {\n    \"code\": \"ForbiddenByFirewall\"\n}"
}

Answer 1

@Daredevil 感谢您的评论。

我遇到了以下相同的错误：

enter image description here

注意：

确保在防火墙设置中添加上述IP地址。

我将上述 IP 地址添加到 Key Vault 防火墙设置中，如下所示：

enter image description here

代码：

import logging
import json
import azure.functions as func
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

app = func.FunctionApp(http_auth_level=func.AuthLevel.FUNCTION)

@app.route(route="http_trigger")
def http_trigger(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    credential = DefaultAzureCredential()

    vault_url = "https://<keyvault_name>.vault.azure.net/"
    secret_client = SecretClient(vault_url=vault_url, credential=credential)

    try:
        secret_value = secret_client.get_secret("<secret_name>").value
        response_message = {"message": f"Secret retrieved from Key Vault: {secret_value}"}
        return func.HttpResponse(json.dumps(response_message), mimetype="application/json")
    except Exception as e:
        response_message = {"error": str(e)}
        return func.HttpResponse(json.dumps(response_message), status_code=500, mimetype="application/json")

要求.txt：

azure-functions
azure-identity
azure-keyvault-secrets

输出：

运行成功如下，

enter image description here

浏览器输出：

enter image description here

然后，我将上面的代码部署到函数应用程序中，如下所示：

enter image description here

Azure 门户：

enter image description here

我将上面的IP地址添加到下面的密钥库中，

enter image description here

Azure 门户输出：

它成功运行并从密钥库中检索了秘密，如下所示。

enter image description here

Azure 功能：尝试访问 Azure Key Vault 时，客户端地址未经授权且调用者不是受信任的服务

问题描述投票：0回答：1

1个回答

最新问题

Azure 功能：尝试访问 Azure Key Vault 时，客户端地址未经授权且调用者不是受信任的服务

问题描述 投票：0回答：1

1个回答

最新问题

问题描述投票：0回答：1