无法使用App Service上的Azure MSI访问Key Vault

Question

我已经在App Service上启用了托管服务身份。但是，我的WebJobs似乎无法访问密钥。

他们报告：

Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. password_required_for_managed_user: Password is required for managed user Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,

Kudo不显示任何MSI_环境变量。

这应该如何工作？这是现有的应用服务计划。

Answer 1

AppAuthentication 库利用应用服务中的内部端点代表您的站点接收令牌。此端点是非静态的，因此设置为环境变量。通过 ARM 为您的站点激活 MSI 后，您的站点将需要重新启动以在其中设置两个新的环境变量：

MSI_ENDPOINT和MSI_SECRET

这些变量的存在对于 MSI 功能在运行时正常工作至关重要，因为 AppAuthentication 库使用它们来获取授权令牌。错误消息反映了这一点：

异常消息：尝试使用托管服务标识获取令牌。无法连接到托管服务标识 (MSI) 端点。请检查您是否在具有 MSI 设置的 Azure 资源上运行。

如果这些变量不存在，您可能需要重新启动站点。

https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity

如果设置了环境变量并且您仍然看到相同的错误，上面的文章有一个代码示例，显示了如何手动向该端点发送请求。

public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion)  {
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));
return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));

}

我会尝试一下，看看我得到什么样的回应。