无法使用 Azure 中的服务主体获取经典 Web 角色
not able to get classic web role using Service Principle in Azure
下面的代码在身份验证起作用的地方起作用。但是当我尝试使用服务原则作为身份验证时,身份验证失败。
工作脚本:
var context = new AuthenticationContext(azureAdUrl + azureADTenant);
var credential = new UserPasswordCredential(azureUsername, azurePassword);
var authParam = new PlatformParameters(PromptBehavior.RefreshSession, null);
var tokenInfo = context.AcquireTokenAsync("https://management.core.windows.net/", azureADClientId, credential);
TokenCloudCredentials tokencreds = new TokenCloudCredentials(subscriptionId, tokenInfo.Result.AccessToken);
ComputeManagementClient computeClient = new ComputeManagementClient(tokencreds);
string deploymentName = computeClient.Deployments.GetBySlot(serviceName, DeploymentSlot.Production).Name;
string label = computeClient.Deployments.GetBySlot(serviceName, DeploymentSlot.Production).Label;
不工作:
AuthenticationFailed: The JWT token does not contain expected audience
uri 'https://management.core.windows.net/'.
ClientCredential cc = new ClientCredential(applicationClientID, accessKey);
var context = new AuthenticationContext("https://login.windows.net/" + AzureTenantId);
var tokenInfo = context.AcquireTokenAsync("https://management.azure.com/", cc);
tokenInfo.Wait();
if (tokenInfo == null)
{
throw new InvalidOperationException("Failed to obtain the JWT token");
}
TokenCloudCredentials tokencreds = new TokenCloudCredentials(subscriptionId, tokenInfo.Result.AccessToken);
ComputeManagementClient computeClient = new ComputeManagementClient(tokencreds);
string deploymentName = computeClient.Deployments.GetBySlot(serviceName, DeploymentSlot.Production).Name;
我认为无法使用 Service Principal 访问经典 Azure 资源。
经典 Azure 资源通过 Service Management API 管理,没有任何 Service Principal 的概念。它仅在为管理员或共同管理员获取令牌时才支持令牌。
您需要使用实际用户的 username/password 才能使用服务管理 API。
根据您的代码,我在自己这边进行了测试,可能会遇到与您提供的相同的问题。 Gaurav Mantri 给出了合理的答案。据我所知,对于经典的 Azure 服务 (ASM),您可以参考 Authenticate using a management certificate and upload a management API certificate。
这是我的代码片段,你可以参考一下:
CertificateCloudCredentials credential = new CertificateCloudCredentials("<subscriptionId>",GetStoreCertificate("<thumbprint>"));
ComputeManagementClient computeClient = new ComputeManagementClient(credential);
string deploymentName = computeClient.Deployments.GetBySlot("<serviceName>", DeploymentSlot.Production).Name;
结果:
下面的代码在身份验证起作用的地方起作用。但是当我尝试使用服务原则作为身份验证时,身份验证失败。
工作脚本:
var context = new AuthenticationContext(azureAdUrl + azureADTenant);
var credential = new UserPasswordCredential(azureUsername, azurePassword);
var authParam = new PlatformParameters(PromptBehavior.RefreshSession, null);
var tokenInfo = context.AcquireTokenAsync("https://management.core.windows.net/", azureADClientId, credential);
TokenCloudCredentials tokencreds = new TokenCloudCredentials(subscriptionId, tokenInfo.Result.AccessToken);
ComputeManagementClient computeClient = new ComputeManagementClient(tokencreds);
string deploymentName = computeClient.Deployments.GetBySlot(serviceName, DeploymentSlot.Production).Name;
string label = computeClient.Deployments.GetBySlot(serviceName, DeploymentSlot.Production).Label;
不工作:
AuthenticationFailed: The JWT token does not contain expected audience uri 'https://management.core.windows.net/'.
ClientCredential cc = new ClientCredential(applicationClientID, accessKey);
var context = new AuthenticationContext("https://login.windows.net/" + AzureTenantId);
var tokenInfo = context.AcquireTokenAsync("https://management.azure.com/", cc);
tokenInfo.Wait();
if (tokenInfo == null)
{
throw new InvalidOperationException("Failed to obtain the JWT token");
}
TokenCloudCredentials tokencreds = new TokenCloudCredentials(subscriptionId, tokenInfo.Result.AccessToken);
ComputeManagementClient computeClient = new ComputeManagementClient(tokencreds);
string deploymentName = computeClient.Deployments.GetBySlot(serviceName, DeploymentSlot.Production).Name;
我认为无法使用 Service Principal 访问经典 Azure 资源。
经典 Azure 资源通过 Service Management API 管理,没有任何 Service Principal 的概念。它仅在为管理员或共同管理员获取令牌时才支持令牌。
您需要使用实际用户的 username/password 才能使用服务管理 API。
根据您的代码,我在自己这边进行了测试,可能会遇到与您提供的相同的问题。 Gaurav Mantri 给出了合理的答案。据我所知,对于经典的 Azure 服务 (ASM),您可以参考 Authenticate using a management certificate and upload a management API certificate。
这是我的代码片段,你可以参考一下:
CertificateCloudCredentials credential = new CertificateCloudCredentials("<subscriptionId>",GetStoreCertificate("<thumbprint>"));
ComputeManagementClient computeClient = new ComputeManagementClient(credential);
string deploymentName = computeClient.Deployments.GetBySlot("<serviceName>", DeploymentSlot.Production).Name;
结果: