时间戳

首页 > 解决方案 > 从 Function App 读取 Azure KeyVault 机密

python - 从 Function App 读取 Azure KeyVault 机密

问题描述

此 Python 脚本部署为从 Linux 消耗计划上的 Azure Function App 运行,此脚本预计将从 Azure Key Vault 读取机密。

除代码部署外,还进行以下配置

1.) 为 Azure Function App 启用系统分配的托管访问

2.)Azure Key Vault 的角色分配以>Reader 角色引用此函数应用程序。

这是来自 > > > init.py的脚本

def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')
    # Get url and filename from postman by using POST method
    #identity = ManagedIdentityCredential()
    credentials = DefaultAzureCredential()
    secretClient = SecretClient(vault_url="https://kvkkpbedpdev.vault.azure.net/", credential=credentials)
    secret = secretClient.get_secret(name = 'st-cs-kkpb-edp-dev')

此函数应用程序需要以下库并在 requirements.txt 文件中定义

azure-functions
azure-keyvault-secrets
azure-identity

此函数运行并以异常结束。

warn: Function.Tide_GetFiles.User[0]
python                   |       SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python                   |       Traceback (most recent call last):
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 27, in wrapper
python                   |           token = fn(*args, **kwargs)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/shared_cache.py", line 88, in get_token
python                   |           account = self._get_account(self._username, self._tenant_id)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 45, in wrapper
python                   |           return fn(*args, **kwargs)
python                   |         File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/shared_token_cache.py", line 166, in _get_account
python                   |           raise CredentialUnavailableError(message=NO_ACCOUNTS)
python                   |       azure.identity._exceptions.CredentialUnavailableError: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python                   | info: Function.Tide_GetFiles.User[0]
python                   |       DefaultAzureCredential - SharedTokenCacheCredential is unavailab

和错误

 fail: Function.Tide_GetFiles[3]
python                   |       Executed 'Functions.Tide_GetFiles' (Failed, Id=9d514a1f-aeae-4625-9379-b2f0bc89f38f, Duration=1673ms)
python                   | Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: Functions.Tide_GetFiles
python                   |  ---> Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException: Result: Failure
python                   | Exception: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
python                   | Attempted credentials:
python                   |      EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
python                   |      ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
python                   |      SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.

我怎么能想到这个

标签: pythonpython-3.xazure

解决方案

从错误来看,托管标识似乎未正确应用于您的函数应用程序。您应该能够看到转到 Function 应用程序的身份刀片。

在此处输入图像描述

此外,如果您不使用新的预览访问控制,您应该添加所需的访问策略(与访问控制中的角色分配分开)(在此处获取秘密)以允许身份(与应用程序同名)访问 keyvault。请参阅如何使用 Azure 托管标识和 Python 从 Azure Key Vault 设置和获取机密

使用 Azure 门户,转到 Key Vault 的访问策略,并授予对 Key Vault 的所需访问权限。

  1. 在 Azure 门户的“搜索资源”对话框中搜索您的 Key Vault。
  2. 选择“概述”,然后单击访问策略
  3. 单击“添加访问策略”,选择所需的权限。
  4. 点击“选择校长”,添加您的帐户
  5. 保存访问策略

在此处输入图像描述

您还可以通过Azure CLIPowerShell门户创建 Azure 服务主体 ,并授予它相同的访问权限。

推荐阅读