无法使用系统分配的标识从 Azure 容器实例访问 Azure Vault
Unable to access Azure Vault from Azure Container Instance using System assigned identity
我无法从部署到具有系统托管标识的专用网络中的 Azure 容器实例访问保管库。
如果我使用服务主体通过将环境变量传递给容器来访问 vault,我的代码工作正常。
https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-authenticate?tabs=bash
我的代码:
import os
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
keyVaultName = 'XXXXXXX'
KVUri = "https://" + keyVaultName + ".vault.azure.net"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)
def secretVal(name):
logging.debug("Retriving the secret from vault for %s", name)
val = client.get_secret(name)
return val.value
错误
2020-05-21:02:09:37,349 INFO [_universal.py:412] Request URL: 'http://169.254.169.254/metadata/identity/oauth2/token'
2020-05-21:02:09:37,349 INFO [_universal.py:413] Request method: 'GET'
2020-05-21:02:09:37,349 INFO [_universal.py:414] Request headers:
2020-05-21:02:09:37,349 INFO [_universal.py:417] 'Metadata': 'REDACTED'
2020-05-21:02:09:37,349 INFO [_universal.py:417] 'User-Agent': 'azsdk-python-identity/1.3.1 Python/3.8.3 (Linux-4.15.0-1082-azure-x86_64-with-glibc2.2.5)'
2020-05-21:02:09:37,352 DEBUG [connectionpool.py:226] Starting new HTTP connection (1): 169.254.169.254:80
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/default.py", line 105, in get_token
return super(DefaultAzureCredential, self).get_token(*scopes, **kwargs)
File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/chained.py", line 71, in get_token
raise ClientAuthenticationError(message=error_message)
azure.core.exceptions.ClientAuthenticationError: No credential in this chain provided a token.
Attempted credentials:
EnvironmentCredential: Incomplete environment configuration. See https://aka.ms/python-sdk-identity#environment-variables for expected environment variables
ImdsCredential: IMDS endpoint unavailable
这个问题似乎与下面类似。
https://github.com/Azure/azure-sdk-for-python/issues/8557
我尝试暂停我的代码,以便在创建实例时使用下面的元数据服务可用。但它仍然不起作用。
--命令行“/bin/bash -c 'sleep 90; /usr/local/bin/python xxxx.py'”
不幸的是,当您在虚拟网络中创建时,Azure 容器实例的托管标识不支持。查看限制:
You can't use a managed identity in a container group deployed to a
virtual network.
虚拟网络中的ACI目前是预览版。所有限制都显示 here。所以在Vnet的时候,使用service principal来认证,和Managed identity类似,只是显示方式不同而已。
我无法从部署到具有系统托管标识的专用网络中的 Azure 容器实例访问保管库。 如果我使用服务主体通过将环境变量传递给容器来访问 vault,我的代码工作正常。
https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-authenticate?tabs=bash
我的代码:
import os
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential
keyVaultName = 'XXXXXXX'
KVUri = "https://" + keyVaultName + ".vault.azure.net"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)
def secretVal(name):
logging.debug("Retriving the secret from vault for %s", name)
val = client.get_secret(name)
return val.value
错误
2020-05-21:02:09:37,349 INFO [_universal.py:412] Request URL: 'http://169.254.169.254/metadata/identity/oauth2/token'
2020-05-21:02:09:37,349 INFO [_universal.py:413] Request method: 'GET'
2020-05-21:02:09:37,349 INFO [_universal.py:414] Request headers:
2020-05-21:02:09:37,349 INFO [_universal.py:417] 'Metadata': 'REDACTED'
2020-05-21:02:09:37,349 INFO [_universal.py:417] 'User-Agent': 'azsdk-python-identity/1.3.1 Python/3.8.3 (Linux-4.15.0-1082-azure-x86_64-with-glibc2.2.5)'
2020-05-21:02:09:37,352 DEBUG [connectionpool.py:226] Starting new HTTP connection (1): 169.254.169.254:80
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/default.py", line 105, in get_token
return super(DefaultAzureCredential, self).get_token(*scopes, **kwargs)
File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/chained.py", line 71, in get_token
raise ClientAuthenticationError(message=error_message)
azure.core.exceptions.ClientAuthenticationError: No credential in this chain provided a token.
Attempted credentials:
EnvironmentCredential: Incomplete environment configuration. See https://aka.ms/python-sdk-identity#environment-variables for expected environment variables
ImdsCredential: IMDS endpoint unavailable
这个问题似乎与下面类似。
https://github.com/Azure/azure-sdk-for-python/issues/8557
我尝试暂停我的代码,以便在创建实例时使用下面的元数据服务可用。但它仍然不起作用。
--命令行“/bin/bash -c 'sleep 90; /usr/local/bin/python xxxx.py'”
不幸的是,当您在虚拟网络中创建时,Azure 容器实例的托管标识不支持。查看限制:
You can't use a managed identity in a container group deployed to a virtual network.
虚拟网络中的ACI目前是预览版。所有限制都显示 here。所以在Vnet的时候,使用service principal来认证,和Managed identity类似,只是显示方式不同而已。