从 Function App 读取 Azure KeyVault 机密

Question

此 Python 脚本部署为在 Linux 消耗计划上从 Azure Function App 运行，此脚本预计将从 Azure Key Vault 读取机密。

除了代码部署，还有以下配置

1.)为 Azure Function App 启用系统分配的托管访问

2.)Azure Key Vault 的角色分配使用 >Reader 角色引用此函数应用。

这是来自 > > >init.py

的脚本

def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')
    # Get url and filename from postman by using POST method
    #identity = ManagedIdentityCredential()
    credentials = DefaultAzureCredential()
    secretClient = SecretClient(vault_url="https://kvkkpbedpdev.vault.azure.net/", credential=credentials)
    secret = secretClient.get_secret(name = 'st-cs-kkpb-edp-dev')

此函数应用需要以下库并在 requirements.txt 文件中定义

azure-functions
azure-keyvault-secrets
azure-identity

此函数运行并以异常结束。

warn: Function.Tide_GetFiles.User[0]
python                   |       SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python                   |       Traceback (most recent call last):
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 27, in wrapper
python                   |           token = fn(*args, **kwargs)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/shared_cache.py", line 88, in get_token
python                   |           account = self._get_account(self._username, self._tenant_id)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 45, in wrapper
python                   |           return fn(*args, **kwargs)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/shared_token_cache.py", line 166, in _get_account
python                   |           raise CredentialUnavailableError(message=NO_ACCOUNTS)
python                   |       azure.identity._exceptions.CredentialUnavailableError: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python                   | info: Function.Tide_GetFiles.User[0]
python                   |       DefaultAzureCredential - SharedTokenCacheCredential is unavailab

和错误

 fail: Function.Tide_GetFiles[3]
python                   |       Executed 'Functions.Tide_GetFiles' (Failed, Id=9d514a1f-aeae-4625-9379-b2f0bc89f38f, Duration=1673ms)
python                   | Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: Functions.Tide_GetFiles
python                   |  ---> Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException: Result: Failure
python                   | Exception: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
python                   | Attempted credentials:
python                   |      EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
python                   |      ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
python                   |      SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.

我怎么知道这个

Answer 1

从错误来看，托管标识似乎未正确应用于您的函数应用。您应该能够看到它转到 Function 应用程序的身份刀片。

此外，如果您不使用新的预览访问控制，您应该添加所需的访问策略（与访问控制中的角色分配分开）（在此处获取秘密）以允许身份（与应用程序同名）访问 keyvault .参考How to set and get secrets from Azure Key Vault with Azure Managed Identities and Python。

使用 Azure 门户，转到 Key Vault 的访问策略，并授予对 Key Vault 的所需访问权限。

1. 在 Azure 门户的“搜索资源”对话框中搜索您的 Key Vault。
2. 选择“概览”，然后点击访问政策
3. 点击“添加访问策略”，选择所需的权限。
4. 点击“选择委托人”，添加您的帐户
5. 保存访问策略

您还可以通过以下方式创建 Azure 服务主体 Azure CLI、PowerShell 或 the portal 并授予它相同的访问权限。