AzureAppConfiguration失败了,但在本地运行时适用于SecretClient
我正在尝试将托管身份用于 azure键Vault 和 azure应用程序配置。
当我部署到我的Azure App Service时,以下代码有效 - 但是当我本地运行时,SecretClient代码成功,AppConfig代码失败。
对于我的钥匙值,我尝试使用 vault访问策略和rbac-都可以使用。我将自己和应用程序服务添加为密钥保险箱秘密用户角色。
对于我的AppConfig,我已将自己添加到RBAC中,如 app配置数据所有者,以及我的应用程序服务为 app App配置数据读取器。请注意,应用程序服务可以成功配置和读取此信息,但是当我本地运行时,我会遇到各种错误,具体取决于我尝试的内容:
调用AddazureAppConfiguration时,我会得到以下例外:
Process“ C:\ Program Files \ Microsoft Visual Studio \ 2022 \ Professional \ common7 \ IDE \ Extensions \ lybeojxv.4oe \ tokenservice \ microsoft.asal.tokenservice.exe” 出乎意料的错误失败:TS003:错误,TS004:无法获得 访问令牌。 'aadsts50020:用户帐户'{email -hidded}' 身份提供商“ live.com”不存在租户” Microsoft 服务',无法访问应用程序'{guidhidden}'(Visual Studio)在那个租户中。该帐户需要作为外部添加 用户首先是租户。登录并再次登录 Azure Active Directory用户帐户。
我的Azure AD中的帐户是作为租户的外部用户添加的My_email_com#ext#@mycompany.onmicrosoft.com,尽管访客和成员的Azure AD模型 极其令人困惑。
我尝试签署,但无济于事。我不知道为什么它说我的用户似乎已经作为外部用户添加到房客的外部用户。 有人有任何建议吗?
我的整体代码如下:
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
var builder = WebApplication.CreateBuilder();
// Azure KeyVault - succeeds locally and for Azure AppService
var keyVaultUri = "https://{MYVAULT}.vault.azure.net/";
var client = new SecretClient(new Uri(keyVaultUri), new DefaultAzureCredential());
var testSecret = client.GetSecret("secretTest").Value.Value;
// Azure AppConfig
var appConfigUri = "https://{MYCONFIG}.azconfig.io/";
// The following code fails when run locally:
builder.Configuration.AddAzureAppConfiguration(options =>
options.Connect(new Uri(appConfigUri), new DefaultAzureCredential()));
var app = builder.Build();
var testConfig = app.Configuration["testConfig"];
app.MapGet("/", () => $"secret: {testSecret}, appConfig: {testConfig}");
app.Run();
I am trying to use Managed Identity for both Azure Key Vault and Azure App Config.
The following code works when I deploy to my Azure App Service - but when I run locally the SecretClient code succeeds and the AppConfig code fails.
For my KeyVault I've tried using Vault access policy and RBAC - and both work. I added myself and the App Service as Key Vault Secrets User role.
For my AppConfig I have added myself to RBAC as App Configuration Data Owner, and my App Service as App Configuration Data Reader. Note the App Service can successfully configure and read this, but when I run it locally I get various errors, depending on what I try:
When calling AddAzureAppConfiguration I get the following exception:
Process "C:\Program Files\Microsoft Visual
Studio\2022\Professional\Common7\IDE\Extensions\lybeojxv.4oe\TokenService\Microsoft.Asal.TokenService.exe"
has failed with unexpected error: TS003: Error, TS004: Unable to get
access token. 'AADSTS50020: User account '{EmailHidden}' from
identity provider 'live.com' does not exist in tenant 'Microsoft
Services' and cannot access the application '{GuidHidden}'(Visual
Studio) in that tenant. The account needs to be added as an external
user in the tenant first. Sign out and sign in again with a different
Azure Active Directory user account.
My account in Azure AD was added as an external user to the tenant, my_email_com#EXT#@mycompany.onmicrosoft.com, although the Azure AD model of guests and members is extremely confusing.
I tried signing out and in again, to no avail. I don't know why it says my user needs to be added as an external user to the tenant, when it already seems to be. Anyone have any suggestions?
The entirety of my code is as follows:
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
var builder = WebApplication.CreateBuilder();
// Azure KeyVault - succeeds locally and for Azure AppService
var keyVaultUri = "https://{MYVAULT}.vault.azure.net/";
var client = new SecretClient(new Uri(keyVaultUri), new DefaultAzureCredential());
var testSecret = client.GetSecret("secretTest").Value.Value;
// Azure AppConfig
var appConfigUri = "https://{MYCONFIG}.azconfig.io/";
// The following code fails when run locally:
builder.Configuration.AddAzureAppConfiguration(options =>
options.Connect(new Uri(appConfigUri), new DefaultAzureCredential()));
var app = builder.Build();
var testConfig = app.Configuration["testConfig"];
app.MapGet("/", () => quot;secret: {testSecret}, appConfig: {testConfig}");
app.Run();
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我今天再次尝试,但错误略有不同:
因此,我打开了PowerShell并运行了命令:
它启动了浏览器,并且我已经登录了。然后,当我在本地再次尝试时,它起作用了!
非常奇怪的是,SecretClient不需要PowerShell AZ登录,但是AppConfig确实...
我也不确定自昨天以来发生了什么变化,无法给我不同的错误。 Azure有时是善变的野兽。
I tried again today but got a slightly different error:
So I opened powershell and ran the command:
It launched the browser, and I was already logged in. Then when I tried again locally, it worked!
Very strange that the SecretClient didn't need the powershell az login but the AppConfig did...
And I'm also not sure what changed since yesterday to give me the different type of error. Azure is a fickle beast at times.