使用 ManagedIdentity 访问 AzureKeyVaults 会抛出偶发异常
Accessing AzureKeyVaults using ManagedIdentity throws sporadic exception
我正在尝试从部署在 AppService 上的 .NET Framework 应用程序访问 AzureKeyVaults。它通常可以工作,但是当我转储 AppService 日志时,每隔几个小时就会出现以下异常:
<Data>TargetInvocationException</Data><Data>Exception has been thrown by the target of an invocation.
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Owin.Loader.DefaultLoader.<>c__DisplayClass19_1.<MakeDelegate>b__0(IAppBuilder builder)
at Owin.Loader.DefaultLoader.<>c__DisplayClass9_0.<LoadImplementation>b__0(IAppBuilder builder)
at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Parameters: Connection String: RunAs=App;, Resource: https://vault.azure.net, Authority: https://login.windows.net/###obfuscated_guid###. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. An error occurred while sending the request.
这是我的代码导致的:
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;");
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
keyVaults.ForEach(keyVault => configurationBuilder.AddAzureKeyVault(
$"https://{keyVault}.vault.azure.net/",
keyVaultClient,
new DefaultKeyVaultSecretManager()));
我正在尝试以这种方式加载两个密钥保管库。两者都配置了允许我的 AppService 调用它们的访问策略(获取和列出机密的权限)。我还为我的 AppService 启用了“系统分配的身份”。
请问您对如何解决这个问题有什么建议吗?提前致谢!
感谢大家的评论,
答案比我预期的要简单得多。我向 AppService 添加了 preprod 插槽,并且我假设配置以及托管身份配置会自动复制。可惜不是。
将托管标识添加到预生产槽并将预生产槽添加到 KeyVault 中的策略解决了该问题。
我正在尝试从部署在 AppService 上的 .NET Framework 应用程序访问 AzureKeyVaults。它通常可以工作,但是当我转储 AppService 日志时,每隔几个小时就会出现以下异常:
<Data>TargetInvocationException</Data><Data>Exception has been thrown by the target of an invocation.
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Owin.Loader.DefaultLoader.<>c__DisplayClass19_1.<MakeDelegate>b__0(IAppBuilder builder)
at Owin.Loader.DefaultLoader.<>c__DisplayClass9_0.<LoadImplementation>b__0(IAppBuilder builder)
at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Parameters: Connection String: RunAs=App;, Resource: https://vault.azure.net, Authority: https://login.windows.net/###obfuscated_guid###. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. An error occurred while sending the request.
这是我的代码导致的:
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;");
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
keyVaults.ForEach(keyVault => configurationBuilder.AddAzureKeyVault(
$"https://{keyVault}.vault.azure.net/",
keyVaultClient,
new DefaultKeyVaultSecretManager()));
我正在尝试以这种方式加载两个密钥保管库。两者都配置了允许我的 AppService 调用它们的访问策略(获取和列出机密的权限)。我还为我的 AppService 启用了“系统分配的身份”。
请问您对如何解决这个问题有什么建议吗?提前致谢!
感谢大家的评论,
答案比我预期的要简单得多。我向 AppService 添加了 preprod 插槽,并且我假设配置以及托管身份配置会自动复制。可惜不是。
将托管标识添加到预生产槽并将预生产槽添加到 KeyVault 中的策略解决了该问题。