Azure Identity Authentication DefaultAzureCredential with Node Js

Question

我试图在 Node js 中使用 @azure/identity 对 Azure DefaultAzureCredential 进行身份验证，以获取 Azure API 管理服务的报告。

我做过的事情：

1. 从 Azure 门户创建 API 管理服务

2. 向 Azure AD 注册应用程序并使用 this 文档创建服务主体。

3. 我已正确配置环境变量以使用 this 文档中提到的 DefaultAzureCredential。

   AZURE_TENANT_ID， AZURE_CLIENT_ID， AZURE_CLIENT_SECRET， AZURE_SUBSCRIPTION，

但身份验证失败，我无法生成凭据。当我安慰new DefaultAzureCredential(); 回复时，它说UnavailableMessage: 'DefaultAzureCredential => failed to retrieve a token from the included credentials',

require("dotenv").config();
const { DefaultAzureCredential } = require("@azure/identity");
const { ApiManagementClient } = require("@azure/arm-apimanagement");

if (!process.env.AZURE_TENANT_ID) throw Error("AZURE_TENANT_ID is missing from environment variables.");
if (!process.env.AZURE_CLIENT_ID) throw Error("AZURE_CLIENT_ID is missing from environment variables.");
if (!process.env.AZURE_CLIENT_SECRET) throw Error("AZURE_CLIENT_SECRET is missing from environment variables.");
if (!process.env.AZURE_RESOURCE_GROUP) throw Error("AZURE_RESOURCE_GROUP is missing from environment variables.");
if (!process.env.AZURE_SERVICE_NAME) throw Error("AZURE_SERVICE_NAME is missing from environment variables.");
if (!process.env.AZURE_SUBSCRIPTION) throw Error("AZURE_SUBSCRIPTION is missing from environment variables.");

const subscriptionId = process.env.AZURE_SUBSCRIPTION;

const credentials = new DefaultAzureCredential();

console.log(credentials);

我得到了这个错误，

DefaultAzureCredential {
  UnavailableMessage: 'DefaultAzureCredential => failed to retrieve a token from the included credentials',
  _sources: [
    EnvironmentCredential { _credential: [ClientSecretCredential] },
    ManagedIdentityCredential {
      isEndpointUnavailable: null,
      clientId: 'c8xxxxxxxx5ac8',
      identityClient: [IdentityClient]
    },
    AzureCliCredential {},
    VisualStudioCodeCredential {
      cloudName: 'AzureCloud',
      identityClient: [IdentityClient],
      tenantId: 'common'
    }
  ]
}

作为堆栈溢出中类似question 的答案之一提到，即使 DefaultAzureCredential 显示不可用消息，它也可以工作， 我尝试继续使用 @azure/identity 获取 API 管理服务报告

const client = new ApiManagementClient(credentials, subscriptionId);

const resourceGroupName = process.env.AZURE_RESOURCE_GROUP;
const serviceName = process.env.AZURE_SERVICE_NAME;
const filter = "callCountSuccess";

client.reports
    .listBySubscription(
        resourceGroupName,
        serviceName,
        filter
    )
    .then((result) => {
        console.log(JSON.stringify(result));
    })
    .catch((err) => {
        console.log(err);
    });

但是由于这也给出了 403 错误，

response: {
    body: `{"error":
    {"code":"AuthorizationFailed",
    "message":
    "The client 'cxxxxxxxxxxxxxxx569' with object id 'cxxxxxxxxxxxxxxx569' 
    does not have authorization to perform action 'Microsoft.ApiManagement/service/reports/read' 
    over scope '/subscriptions/85xxxxxxx3c5/resourceGroups/axxxb/providers/Microsoft.ApiManagement/service/Axxxx/reports/bySubscription' 
    or the scope is invalid. 
    If access was recently granted, please refresh your credentials."}}`,
    headers: HttpHeaders { _headersMap: [Object] },
    status: 403
  },

编辑

我已将 API 管理服务读取器角色添加到 Api 管理服务，但出现与上述相同的错误。

Answer 1

您遇到AuthorizationFailed 错误的原因是因为您似乎没有为您的服务主体分配任何权限（RBAC 角色）。

默认情况下，服务主体将无权对 Azure 订阅执行操作。您需要通过为您的服务主体分配合适的 RBAC 角色来明确授予适当的权限。

您可以尝试在订阅、资源组或 API 管理资源级别将 Reader 角色分配给您的服务主体。您可能会发现此链接很有帮助：https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps。

一旦分配了适当的角色，您应该不会收到此错误。