此Python脚本部署为在Linux消费计划上从Azure Function App运行,此脚本预计将从Azure密钥库读取机密
除了代码部署之外,还进行了以下配置
1.)为Azure功能应用程序启用系统分配的托管访问
2.)Azure Key Vault的角色分配使用>;读者角色
以下是来自>&燃气轮机&燃气轮机init.py
def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
# Get url and filename from postman by using POST method
#identity = ManagedIdentityCredential()
credentials = DefaultAzureCredential()
secretClient = SecretClient(vault_url="https://kvkkpbedpdev.vault.azure.net/", credential=credentials)
secret = secretClient.get_secret(name = 'st-cs-kkpb-edp-dev')
此函数应用程序需要以下库,并在requirements.txt文件中定义
azure-functions
azure-keyvault-secrets
azure-identity
此函数运行并结束以下异常
warn: Function.Tide_GetFiles.User[0]
python | SharedTokenCacheCredential.get_token failed: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python | Traceback (most recent call last):
python | File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 27, in wrapper
python | token = fn(*args, **kwargs)
python | File "/usr/local/lib/python3.8/site-packages/azure/identity/_credentials/shared_cache.py", line 88, in get_token
python | account = self._get_account(self._username, self._tenant_id)
python | File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/decorators.py", line 45, in wrapper
python | return fn(*args, **kwargs)
python | File "/usr/local/lib/python3.8/site-packages/azure/identity/_internal/shared_token_cache.py", line 166, in _get_account
python | raise CredentialUnavailableError(message=NO_ACCOUNTS)
python | azure.identity._exceptions.CredentialUnavailableError: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
python | info: Function.Tide_GetFiles.User[0]
python | DefaultAzureCredential - SharedTokenCacheCredential is unavailab
和错误
fail: Function.Tide_GetFiles[3]
python | Executed 'Functions.Tide_GetFiles' (Failed, Id=9d514a1f-aeae-4625-9379-b2f0bc89f38f, Duration=1673ms)
python | Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: Functions.Tide_GetFiles
python | ---> Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException: Result: Failure
python | Exception: ClientAuthenticationError: DefaultAzureCredential failed to retrieve a token from the included credentials.
python | Attempted credentials:
python | EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
python | ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
python | SharedTokenCacheCredential: SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
我怎么知道呢
从错误中可以看出,托管标识似乎未正确应用于功能应用程序。你应该能够看到,去功能应用程序的身份刀片
此外,如果您不使用新的预览访问控制,则应添加所需的访问策略(与访问控制中的角色分配分开)(此处为机密获取),以允许身份(与应用同名)访问keyvault。请参阅How to set and get secrets from Azure Key Vault with Azure Managed Identities and Python
使用Azure门户,转到密钥库的访问策略,并授予对密钥库的所需访问权限
您还可以通过以下方式创建Azure服务主体: Azure CLI、PowerShell或the portal并授予它相同的访问权限
相关问题 更多 >
编程相关推荐