Rad*_*d13 4 azure-functions azure-managed-identity
我正在尝试在我的函数应用程序中使用“用户管理的身份”。托管 ID 具有托管函数的资源组级别的贡献者访问权限。这是一个 powershell 功能,目前只有
Write-Host "Hello World"
当我运行我的函数时,出现以下错误:
2021-10-05T13:34:15Z [Warning] WARNING: Unable to acquire token for tenant 'organizations' with error 'ManagedIdentityCredential authentication failed: Service request failed.
Status: 400 (Bad Request)
Headers:
Date: Tue, 05 Oct 2021 13:34:14 GMT
Content-Length: 133
'
2021-10-05T13:34:16Z [Error] ERROR: ManagedIdentityCredential authentication failed: Service request failed.
Status: 400 (Bad Request)
Headers:
Date: Tue, 05 Oct 2021 13:34:14 GMT
Content-Length: 133
Exception :
Type : Azure.Identity.AuthenticationFailedException
TargetSite :
Name : FailWrapAndThrow
DeclaringType : Azure.Identity.CredentialDiagnosticScope, Azure.Identity, Version=1.4.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8
MemberType : Method
Module : Azure.Identity.dll
StackTrace :
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken)
at Microsoft.Azure.PowerShell.Authenticators.MsalAccessTokenAcquirer.GetAccessTokenAsync(String callerClassName, String parametersLog, TokenCredential tokenCredential, TokenRequestContext requestContext, CancellationToken cancellationToken, String tenantId, String userId, String homeAccountId)
at Microsoft.Azure.Commands.Common.Authentication.Factories.AuthenticationFactory.Authenticate(IAzureAccount account, IAzureEnvironment environment, String tenant, SecureString password, String promptBehavior, Action`1 promptAction, IAzureTokenCache tokenCache, String resourceId)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.AcquireAccessToken(IAzureAccount account, IAzureEnvironment environment, String tenantId, SecureString password, String promptBehavior, Action`1 promptAction, String resourceId)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.ListAccountTenants(IAzureAccount account, IAzureEnvironment environment, SecureString password, String promptBehavior, Action`1 promptAction)
at Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient.Login(IAzureAccount account, IAzureEnvironment environment, String tenantId, String subscriptionId, String subscriptionName, SecureString password, Boolean skipValidation, Action`1 promptAction, String name, Boolean shouldPopulateContextList, Int32 maxContextPopulation, String authScope)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass118_2.<ExecuteCmdlet>b__5()
at System.Threading.Tasks.Task`1.InnerInvoke()
at System.Threading.Tasks.Task.<>c.<.cctor>b__274_0(Object obj)
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location where exception was thrown ---
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass118_0.<ExecuteCmdlet>b__1(AzureRmProfile localProfile, RMProfileClient profileClient, String name)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.<>c__DisplayClass126_0.<SetContextWithOverwritePrompt>b__0(AzureRmProfile prof, RMProfileClient client)
at Microsoft.Azure.Commands.Profile.Common.AzureContextModificationCmdlet.ModifyContext(Action`2 contextAction)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.SetContextWithOverwritePrompt(Action`3 setContextAction)
at Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand.ExecuteCmdlet()
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.<>c__3`1.<ExecuteSynchronouslyOrAsJob>b__3_0(T c)
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet, Action`1 executor)
at Microsoft.WindowsAzure.Commands.Utilities.Common.CmdletExtensions.ExecuteSynchronouslyOrAsJob[T](T cmdlet)
at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()
Message : ManagedIdentityCredential authentication failed: Service request failed.
Status: 400 (Bad Request)
Headers:
Date: Tue, 05 Oct 2021 13:34:14 GMT
Content-Length: 133
InnerException :
Type : Azure.RequestFailedException
Status : 400
TargetSite :
Name : MoveNext
DeclaringType : Azure.Identity.ManagedIdentitySource+<HandleResponseAsync>d__10, Azure.Identity, Version=1.4.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8
MemberType : Method
Module : Azure.Identity.dll
StackTrace :
at Azure.Identity.ManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
Message : Service request failed.
Status: 400 (Bad Request)
Headers:
Date: Tue, 05 Oct 2021 13:34:14 GMT
Content-Length: 133
Source : Azure.Identity
HResult : -2146233088
Source : Azure.Identity
HResult : -2146233088
CategoryInfo : CloseError: (:) [Connect-AzAccount], AuthenticationFailedException
FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand
InvocationInfo :
MyCommand : Connect-AzAccount
ScriptLineNumber : 16
OffsetInLine : 5
HistoryId : 1
ScriptName : C:\home\site\wwwroot\profile.ps1
Line : Connect-AzAccount -Identity
PositionMessage : At C:\home\site\wwwroot\profile.ps1:16 char:5
+ Connect-AzAccount -Identity
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
PSScriptRoot : C:\home\site\wwwroot
PSCommandPath : C:\home\site\wwwroot\profile.ps1
InvocationName : Connect-AzAccount
CommandOrigin : Internal
ScriptStackTrace : at <ScriptBlock>, C:\home\site\wwwroot\profile.ps1: line 16
PipelineIterationInfo :
2021-10-05T13:34:17Z [Error] Errors reported while executing profile.ps1. See logs for detailed errors. Profile location: C:\home\site\wwwroot\profile.ps1.
2021-10-05T13:34:17Z [Information] INFORMATION: Hello World
我已按照此处文档中列出的步骤进行操作,并且还仔细检查了函数应用程序是否设置了 IDENTITY_ENDPOINT 和 IDENTITY_HEADER 值。
对于我的一生,我无法让它发挥作用。但是,它确实可以与“系统分配的托管身份”配合使用。
我还尝试了 Connect-AzAccount 和 Set-AzContext 命令的组合,最终得到了相同的错误。
有谁能够指出我在这里缺少什么,我将不胜感激。
在我这边,我尝试连接 cosmos DB 客户端
但ManagedIdentityClientId客户端方法中缺少该参数
string userAssignedClientId = "<USER_ASSIGNED_CLIENT_ID>";
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedClientId });
new CosmosClient
当您使用用户分配的托管身份时,您仍然需要指定要使用哪个身份以及哪个凭据(因为您可以附加多个用户分配的身份)。要确定要使用的身份,您只需指定管理身份的客户端 ID。
这取决于您使用的方法,但 AZURE_CLIENT_ID 环境变量可用于指导 Azure.Identity 包选择要使用的用户分配的托管标识。
| 归档时间: |
|
| 查看次数: |
14827 次 |
| 最近记录: |