"User Assigned Managed Identity" 可以在本地使用吗?
Can a "User Assigned Managed Identity" be used locally?
我正在尝试使用 User Assigned Managed Identity in one of our applications. I also read about the differences between System Assigned Managed Identity and User Assigned Managed Identity。
我很清楚 System Assigned Managed Identity 不能在本地使用,因为您正在为 Azure 资源分配身份。
但是我不清楚 User Assigned Managed Identity 是否可以在本地使用。我唯一能找到的是:
在我的场景中,我想从 Azure Key Vault 中读取一些秘密。我已经创建了一个用户分配的托管标识,并在 Key Vault 上配置了访问策略,以便为该标识提供必要的权限。考虑到我正在使用此身份访问 Azure Key Vault(这是一种 Azure 资源),我的期望是它应该可以工作,而不管我的代码位于 [=38] 的位置(使用 JetBrains Rider 作为我的 IDE) =]宁.
然而,当我尝试做类似的事情时:
var managedIdentityCredential = new ManagedIdentityCredential("managed-identity-id");
SecretClient secretClient = new(new Uri("https://mykeyvault.vault.azure.net/"), managedIdentityCredential);
KeyVaultSecret secret = await secretClient.GetSecretAsync(key);
当我在本地 运行 代码时,我收到 Azure.Identity.CredentialUnavailableException 和 ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found 错误消息:
Azure.Identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthenticateRequestAsync(HttpMessage message, Boolean async, AuthenticationChallenge challenge)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.ProcessCoreAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
at Azure.Security.KeyVault.Certificates.CertificateClient.GetCertificateAsync(String certificateName, CancellationToken cancellationToken)
任何对此的见解将不胜感激。
没有。 ManagedIdentityCredential 在本地环境中也不支持用户管理身份。
您应该使用 DefaultAzureCredential 代码才能在本地环境中工作。
参见注意提示here。
Note
The ManagedIdentityCredential works only in Azure environments of
services that support managed identity authentication. It doesn't work
in the local environment. Use DefaultAzureCredential for the code
to work in both local and Azure environments as it will fall back to a
few authentication options including managed identity.
In case you want to use a user-asigned managed identity with the
DefaultAzureCredential when deployed to Azure, specify the
clientId.
我正在尝试使用 User Assigned Managed Identity in one of our applications. I also read about the differences between System Assigned Managed Identity and User Assigned Managed Identity。
我很清楚 System Assigned Managed Identity 不能在本地使用,因为您正在为 Azure 资源分配身份。
但是我不清楚 User Assigned Managed Identity 是否可以在本地使用。我唯一能找到的是:
在我的场景中,我想从 Azure Key Vault 中读取一些秘密。我已经创建了一个用户分配的托管标识,并在 Key Vault 上配置了访问策略,以便为该标识提供必要的权限。考虑到我正在使用此身份访问 Azure Key Vault(这是一种 Azure 资源),我的期望是它应该可以工作,而不管我的代码位于 [=38] 的位置(使用 JetBrains Rider 作为我的 IDE) =]宁.
然而,当我尝试做类似的事情时:
var managedIdentityCredential = new ManagedIdentityCredential("managed-identity-id");
SecretClient secretClient = new(new Uri("https://mykeyvault.vault.azure.net/"), managedIdentityCredential);
KeyVaultSecret secret = await secretClient.GetSecretAsync(key);
当我在本地 运行 代码时,我收到 Azure.Identity.CredentialUnavailableException 和 ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found 错误消息:
Azure.Identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthenticateRequestAsync(HttpMessage message, Boolean async, AuthenticationChallenge challenge)
at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.ProcessCoreAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
at Azure.Security.KeyVault.Certificates.CertificateClient.GetCertificateAsync(String certificateName, CancellationToken cancellationToken)
任何对此的见解将不胜感激。
没有。 ManagedIdentityCredential 在本地环境中也不支持用户管理身份。
您应该使用 DefaultAzureCredential 代码才能在本地环境中工作。
参见注意提示here。
Note
The
ManagedIdentityCredentialworks only in Azure environments of services that support managed identity authentication. It doesn't work in the local environment. Use DefaultAzureCredential for the code to work in both local and Azure environments as it will fall back to a few authentication options including managed identity.In case you want to use a user-asigned managed identity with the
DefaultAzureCredentialwhen deployed to Azure, specify the clientId.