容器的App Service中缺少Azure管理的服务身份端点

问题描述 投票:0回答:1

我正在尝试使用docker-compose预览版将我的应用程序部署到容器的Azure应用服务。部署配置如下:

version: "3.7"
services:
  auth:
    image: myorg/myimage
    environment:
      - MyOrg__Hosting__PathBase=/auth
      - ASPNETCORE_FORWARDEDHEADERS_ENABLED=true
      - ConnectionStrings__AuthenticationDatabase
  # other services not important for this question

在此部署中,我需要访问Azure密钥保险柜,根据the documentation,我已通过密钥保险柜配置提供程序集成了我的应用程序,与该Azure密钥保险柜集成:

var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
    new KeyVaultClient.AuthenticationCallback(
        azureServiceTokenProvider.KeyVaultTokenCallback));

    config.AddAzureKeyVault(
        $"https://{builtConfig["KeyVault:Name"]}.vault.azure.net/",
        keyVaultClient,
        DefaultKeyVaultSecretManager());

我的Azure Key Vault具有适当的访问策略集,从Kudu页面看来,MSI_ENDPOINTMSI_SECRET环境变量似乎已在运行时环境中设置。但是,Key Vault配置提供程序多次失败,无法连接到Key Vault:

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: 
Connection String: [No connection string specified], Resource: https://vault.azure.net, 
Authority: https://login.windows.net/6e5e63bd-f497-4f71-a6f4-9d29200a8a61. Exception 
Message: Tried the following 3 methods to get an access token, but none of them worked.
2020-02-21T18:27:27.024474350Z Parameters: 
Connection String: [No connection string specified], Resource: https://vault.azure.net, 
Authority: https://login.windows.net/6e5e63bd-f497-4f71-a6f4-9d29200a8a61. Exception 
Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
2020-02-21T18:27:27.024479550Z Parameters: 
Connection String: [No connection string specified], Resource: https://vault.azure.net, 
Authority: https://login.windows.net/6e5e63bd-f497-4f71-a6f4-9d29200a8a61. Exception 
Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set.
2020-02-21T18:27:27.024483550Z Parameters: 
Connection String: [No connection string specified], Resource: https://vault.azure.net, 
Authority: https://login.windows.net/6e5e63bd-f497-4f71-a6f4-9d29200a8a61. Exception 
Message: Tried to get token using Azure CLI. Access token could not be acquired. No such file or directory

这三种方法中的第一种清楚地表明MSI在某些领域不可用。

我从the documentation on Managed Identities中添加了一个用于调试目的的手动请求:

public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion)
{
    HttpClient client = new HttpClient();
    var msiEndpoint = Environment.GetEnvironmentVariable("MSI_ENDPOINT") ?? "MSI_ENDPOINT is not set!";
    Log.Logger.Debug("MSI_ENDPOINT is {MsiEndpoint}", msiEndpoint);
    client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));
    return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", msiEndpoint, resource, apiversion));
}

而且我可以在我的应用程序日志中清楚地看到MSI_ENDPOINT is行-已设置,但为空或空白。调试请求抛出的InvalidOperationException支持此操作,指出“提供了无效的请求URI。该请求URI必须是绝对URI或必须设置BaseAddress。”

我尝试禁用和重新启用系统分配的身份,重新启动我的App Service,并仔细检查Key Vault访问策略,但无济于事。在这一点上,我认为我只能假设MSI_*环境变量没有在运行时传递给容器,并且我不确定为什么会这样。


更新:我现在也尝试在docker-compose配置的MSI_*映射中列出environment环境变量,但这也没有任何效果。

azure azure-keyvault azure-app-service-plans azure-managed-identity
1个回答
0
投票

关于您的问题,我认为您错过了容器Web应用程序的托管身份的两个步骤。

一个是您需要首先启用托管身份。例如,您使用分配给受管身份的类型系统。启用它是这样的:

enter image description here

然后环境变量MSI_ENDPOINTMSI_SECRET将显示如下:

enter image description here

另一个是,如果您需要使用托管身份来访问密钥库,则需要为您的托管身份授予足够的权限。您可以按照Assign a managed identity access to a resource by using the Azure portal中的步骤进行操作。

热门问题
推荐问题
最新问题