具有用户分配的托管标识的 Azure App Service 使应用程序崩溃
Azure App Service with User-Assigned Managed Identity crashes application
我有一个 VMSS 和多个 AppServices 我想使用同一个用户分配的托管服务标识。对于 VMSS,我可以分配身份并使用它通过以下代码从 Azure Key Vault 检索机密:
var client = new SecretClient(new Uri(KeyVault), new DefaultAzureCredential());
var secret = client.GetSecret("secret-name");
AppServices 使用 ASP.NET Core 3.1,因此 the recommended way 访问 Key Vault 秘密是:
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;AppId={client id for the user-assigned managed identity elided}");
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
config.AddAzureKeyVault("https://{my vault name}.vault.azure.net/", keyVaultClient, new DefaultKeyVaultSecretManager());
请注意,连接字符串源自 this documentation 中的 'User-assigned identity for Azure resources' 场景。
以上代码片段抛出以下异常:
2020-08-27T02:06:18.409648197Z Unhandled exception. System.ArgumentException: Connection string RunAs=App;AppId={client id ellided} is not valid. Must contain 'TenantId' attribute and it must not be empty.
2020-08-27T02:06:18.409681697Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.ValidateAttribute(Dictionary`2 connectionSettings, String attribute, String connectionString)
2020-08-27T02:06:18.409688597Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.Create(String connectionString, String azureAdInstance)
2020-08-27T02:06:18.409693297Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider..ctor(String connectionString, String azureAdInstance)
2020-08-27T02:06:18.409697797Z at API.Program.<>c.b__1_0(HostBuilderContext context, IConfigurationBuilder config) in /tmp/8d84a2d16145d21/API/Program.cs:line 25
2020-08-27T02:06:18.409703497Z at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration()
2020-08-27T02:06:18.409707797Z at Microsoft.Extensions.Hosting.HostBuilder.Build()
当我按要求添加 'TenantId' 时,消息变为:
Unhandled exception. System.ArgumentException: Connection string RunAs=App;AppId={client id elided};TenantId={tenant id elided} is not valid. Must contain at least one of CertificateStoreLocation or AppKey attributes.
托管身份没有证书,我正在尝试使用 MSI 来避免向代码或应用程序设置添加机密。
我已尝试根据 'Managed identities for Azure resources' 场景删除连接字符串的 'AppId' 和 'TenantId' 部分,这会导致以下异常:
Unhandled exception. Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: RunAs=App, Resource: https://vault.azure.net, Authority: https://login.windows.net/b905ac32-5779-4bab-ac34-a8445e89f9e4. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. MSI ResponseCode: BadRequest, Response: {"statusCode":400,"message":"Unable to load requested managed identity.","correlationId":"c8409322-357a-49d0-9686-453fb37cc4b4"}
我假设它正在尝试加载不存在的系统分配标识。我已确认通过 Kudu 控制台为 (Linux) WebApp 实例配置了托管身份:
Kudu Remote Execution Console Type 'exit' to reset this console.
/home>env
MSI_ENDPOINT=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
IDENTITY_ENDPOINT=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
IDENTITY_HEADER=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
MSI_SECRET=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
MSI+AppService+Linux、文档或两者、代码示例、配置或我的代码是否存在问题?
注意:不再建议将 Microsoft.Azure.Services.AppAuthentication 与新的 Key Vault SDK 一起使用。它已被可用于 .NET、Java、TypeScript 和 Python 的新 Azure 身份库 DefaultAzureCredentials 取代,并且应该用于所有新开发。可以在此处找到更多信息:Authentication and the Azure SDK.
您发布的 VMSS 代码使用的是新的 KeyVault SDK,这很好。
但对于应用服务,由于您仍在使用旧版 SDK(假设通过查看您的代码),请检查您是否已将 Microsoft.Azure.Services.AppAuthentication 的最新稳定 nuget 显式添加到您的项目中(假设您现在继续使用旧版 SDK)。
此外,希望您已经在应用服务中添加了用户分配标识blade。
我有一个 VMSS 和多个 AppServices 我想使用同一个用户分配的托管服务标识。对于 VMSS,我可以分配身份并使用它通过以下代码从 Azure Key Vault 检索机密:
var client = new SecretClient(new Uri(KeyVault), new DefaultAzureCredential());
var secret = client.GetSecret("secret-name");
AppServices 使用 ASP.NET Core 3.1,因此 the recommended way 访问 Key Vault 秘密是:
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;AppId={client id for the user-assigned managed identity elided}");
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
config.AddAzureKeyVault("https://{my vault name}.vault.azure.net/", keyVaultClient, new DefaultKeyVaultSecretManager());
请注意,连接字符串源自 this documentation 中的 'User-assigned identity for Azure resources' 场景。
以上代码片段抛出以下异常:
2020-08-27T02:06:18.409648197Z Unhandled exception. System.ArgumentException: Connection string RunAs=App;AppId={client id ellided} is not valid. Must contain 'TenantId' attribute and it must not be empty. 2020-08-27T02:06:18.409681697Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.ValidateAttribute(Dictionary`2 connectionSettings, String attribute, String connectionString) 2020-08-27T02:06:18.409688597Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderFactory.Create(String connectionString, String azureAdInstance) 2020-08-27T02:06:18.409693297Z at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider..ctor(String connectionString, String azureAdInstance) 2020-08-27T02:06:18.409697797Z at API.Program.<>c.b__1_0(HostBuilderContext context, IConfigurationBuilder config) in /tmp/8d84a2d16145d21/API/Program.cs:line 25 2020-08-27T02:06:18.409703497Z at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration() 2020-08-27T02:06:18.409707797Z at Microsoft.Extensions.Hosting.HostBuilder.Build()
当我按要求添加 'TenantId' 时,消息变为:
Unhandled exception. System.ArgumentException: Connection string RunAs=App;AppId={client id elided};TenantId={tenant id elided} is not valid. Must contain at least one of CertificateStoreLocation or AppKey attributes.
托管身份没有证书,我正在尝试使用 MSI 来避免向代码或应用程序设置添加机密。
我已尝试根据 'Managed identities for Azure resources' 场景删除连接字符串的 'AppId' 和 'TenantId' 部分,这会导致以下异常:
Unhandled exception. Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: RunAs=App, Resource: https://vault.azure.net, Authority: https://login.windows.net/b905ac32-5779-4bab-ac34-a8445e89f9e4. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. MSI ResponseCode: BadRequest, Response: {"statusCode":400,"message":"Unable to load requested managed identity.","correlationId":"c8409322-357a-49d0-9686-453fb37cc4b4"}
我假设它正在尝试加载不存在的系统分配标识。我已确认通过 Kudu 控制台为 (Linux) WebApp 实例配置了托管身份:
Kudu Remote Execution Console Type 'exit' to reset this console.
/home>env
MSI_ENDPOINT=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
IDENTITY_ENDPOINT=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
IDENTITY_HEADER=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
MSI_SECRET=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
MSI+AppService+Linux、文档或两者、代码示例、配置或我的代码是否存在问题?
注意:不再建议将 Microsoft.Azure.Services.AppAuthentication 与新的 Key Vault SDK 一起使用。它已被可用于 .NET、Java、TypeScript 和 Python 的新 Azure 身份库 DefaultAzureCredentials 取代,并且应该用于所有新开发。可以在此处找到更多信息:Authentication and the Azure SDK.
您发布的 VMSS 代码使用的是新的 KeyVault SDK,这很好。
但对于应用服务,由于您仍在使用旧版 SDK(假设通过查看您的代码),请检查您是否已将 Microsoft.Azure.Services.AppAuthentication 的最新稳定 nuget 显式添加到您的项目中(假设您现在继续使用旧版 SDK)。
此外,希望您已经在应用服务中添加了用户分配标识blade。
