我正在尝试使用用户分配托管身份来检索Azure函数中的KeyVault参考中的访问。
我正在关注此doc https://learn.microsoft.com/en-us /Zure/app-service/app-service-key-veault-references?tabs = azure-cli#:~: text=you%20Haven%27T%20AlReady.--,Configure,the%20App%20TOTO 要在应用程序配置中引用密钥维护。
我遵循以下步骤:
-
创建的用户分配托管身份。
-
在KeyVault中创建了一个策略,并将权限获取和列表到用户分配托管身份。
-
在Azure函数身份中设置用户分配托管身份
- 在Azure函数Identity
设置属性属性应用程序设置 :
- mySecureApp- @microsoft.keyvault(seproduri = https://mykv.vault.azure.azure.net/secrets/secrets/secrets/mysecret/ID
- ) /userAssignedIdentities/mgid
对此有任何想法吗?
I'm trying to use a User Assign Managed Identity to retrieve access in KeyVault reference in Azure Function.
I'm following this doc https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#:~:text=you%20haven%27t%20already.-,Configure,-the%20app%20to to reference the keyvault in the application configuration.
I followed these steps:
-
Created User Assign Managed Identity.
-
Created a policy in Keyvault and gave permissions GET and LIST to User Assign Managed Identity.
-
Set the User Assign Managed Identity in Azure Function Identity
-
Set properties application setting like this:
- mysecureapp - @Microsoft.KeyVault(SecretUri=https://mykv.vault.azure.net/secrets/mysecret/id)
- keyVaultReferenceIdentity - /subscriptions/subsid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mgid
Any thoughts on this?
发布评论
评论(5)
哇 !
我还在搜索同一主题以获取用户身份和同一问题。
我刚刚遵循了标记的答案,它起作用并能够检索值。
感谢 @ Magno Oliveira将这个问题带给社区。
只需要在Azure Portal中运行CLI命令!将资源组名称和用户识别名称和功能应用程序名称给以下命令
wow !
I'm also searching the same topic for user identity and the same issue.
I just followed the marked answer , its worked and able to retrieve the value.
Thanks @ Magno Oliveira to bring this question to the community.
just need to run the CLI command in azure portal ! give resource group name and useridentity name and function app name to the below command
我意识到,除了通过应用程序设置设置属性 keyvaultreferentientity 之外,我们还需要在资源函数中更改同名的此属性。如果启用它,则默认值为 SystemAssign 。不幸的是,MS文档尚不清楚。
我找到了可以在Terraform文档中使用的属性,请按照以下链接:https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#:~:text=key_vault_reference_identity_id
After setting this property to用户分配托管身份的价值这很好。
I realized that in addition to setting the property keyVaultReferenceIdentity via app-setting, we need to change this property of the same name in the resource function. The default value is SystemAssign if you enable it. Unfortunately the MS documentation is unclear on this.
I found the property that can be used in the terraform documentation, follow the link: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#:~:text=key_vault_reference_identity_id
After setting this property to the value of User Assign Managed Identity this worked fine.
刚刚发现,当使用门户使用我们的IAC(应用程序设置)在函数中创建keyvaultreferneity属性时,它不识别用户分配的身份作为在keyVault中进行身份验证的身份,但是如果您运行以下链接中描述的补丁程序使用PowerShell,它可以正常工作。
https://learn.microsoft.com/en-us/azure/app-service/app-service-key-key-key-vault-references?维护 - a-用户分配的身份
应该足以参考KeyVault Works
just found that when the keyVaultReferenceIdentity property is created in the Function using the portal our IaC (App Settings), it doesn't recognize the User Assigned identity as the one to authenticate in KeyVault, but if you run the PATCH described in the following link using PowerShell, it works.
https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-powershell#access-vaults-with-a-user-assigned-identity
it should be enough to the reference to KeyVault works
在遇到相同问题的同时,在Google上偶然发现了这一点。我发现实际上有两个
keyvaultrefereidentity属性:一个属性下一个下的 siteconfig 。我已经在siteconfig下设置了一个,但没有在属性下设置一个。Stumbled across this on google while having the same problem. I discovered that there are actually two
keyVaultReferenceIdentityproperties: one underpropertiesand one undersiteConfig. I had set the one undersiteConfigbut not the one underproperties.希望您已经完成了所有步骤。但是您可能会错过的一件事,即,
此错误 sinoteNabled 主要是在您的应用程序没有托管身份的情况下出现的,并且显然表明,系统分配的托管身份。
请参阅此在其中描述了在哪里发现对所有这些错误和分辨率的错误进行的故障排除步骤。
I hope you already done all the steps. But one thing you may missed i.e.,
This error MSINotEnabled comes mostly during the absence of a managed Identity for your application, and it clearly says i.e., System assigned Managed identity.
Refer to this medium article where we will find the troubleshooting steps had given along with all these kind of errors with resolutions were described.