使用 Azure Batch 中的托管标识在批处理池中使用 Python 通过 Key Vault 进行身份验证

Using Managed Identity in Azure Batch to Authenticate with Key Vault using Python in a Batch Pool

我正在尝试使用 azure batch 的系统分配托管标识来访问 Azure Key Vault。我在网上找到了一些代码,但我不知道这是否可行,或者证书路由是唯一的可能性。我为批处理帐户启用了托管标识并将其添加到密钥库中。但是,当我尝试从批处理池中的 python sdk 获取托管标识时,它失败了,我无法连接到密钥库。

我已经尝试了旧的 azure-keyvault 软件包(1.1.0 版)和较新的 4.0 版。

这是使用较旧的密钥保管库包,它给出了 HTTPRequest 错误:

from azure.keyvault import KeyVaultClient
from msrestazure.azure_active_directory import MSIAuthentication

credentials = MSIAuthentication(resource='https://vault.azure.net')

kvclient = KeyVaultClient(credentials)
res = kvclient.get_secret("https://kv.vault.azure.net/", "secret", "").value

对于较新的 azure keyvault 包,我使用了这个:

import os
import cmd
from azure.keyvault.secrets import SecretClient
from azure.identity import ManagedIdentityCredential

keyVaultName = "kv"
KVUri = f"https://{keyVaultName}.vault.azure.net"

credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)

secretName = "secret"
retrieved_secret = client.get_secret(secretName)

但找不到 ManagedIdentityCredential。这是错误的一部分:

SharedTokenCacheCredential.get_token failed: Shared token cache unavailable
VisualStudioCodeCredential.get_token failed: Failed to get Azure user details from Visual Studio Code.
AzureCliCredential.get_token failed: Please run 'az login' to set up an account
DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
    EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
    ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. No identity has been assigned to this resource.
    SharedTokenCacheCredential: Shared token cache unavailable
    VisualStudioCodeCredential: Failed to get Azure user details from Visual Studio Code.
    AzureCliCredential: Please run 'az login' to set up an account
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>

2021-02-17 更新答案:

Batch 池上的托管标识现已在 select 个区域中提供 public 预览。请参阅 this doc

原答案:

目前不支持此方案。请阅读有关此功能的 documentation 以及文档底部解决它的特定常见问题解答项目。

另请参阅 UserVoice request