从Azure功能访问Azure批处理 [英] Access Azure Batch from an Azure Function
问题描述
我正在尝试使用服务原理从Azure功能访问批处理池,并遇到我不了解的身份验证问题。最初使用服务原理登录可以正常工作,但是使用凭据访问批处理池将返回401。
下面是我的代码的精简版,带有注释:关键点
module.exports.dispatch =函数(上下文){
MsRest.loginWithServicePrincipalSecret( 'AppId','Secret','TennantId',function(err,凭据){
if(err)throw err;
//这在打印凭据$ b $时起作用b context.log(credentials);
var batch_client = new batch.ServiceClient(credentials,accountUrl);
batch_client.pool.get('mycluster',function(error) ,结果){
if(error === null)
{
context.log('Accessed pool');
context.log(result);
}
else
{
//请求批处理服务返回401
if(error.statusCode === 404)
{
context.log(未找到池,但返回了404 ...);
}
else
{
context.log(检索池数据时发生错误);
context.log(错误);
}
//’服务器无法验证请求。确保Authorization标头的值格式正确。
context.res = {正文:error.body.message.value};
context.done();
}
});
});
};
使用服务原理的初始登录如何工作没有问题,但是返回的凭据却没有问题能够访问批处理池?
实际错误是检查请求上的auth标头,我可以看到它,甚至没有Authorization标头。 / p>
我对批处理帐户的Active Directory访问控制进行了三重检查,应用ID和密码属于批处理帐户的所有者。任何想法下一步该怎么做?
Azure Batch npm客户端期望的凭据不是Azure Active Directory凭据/令牌,但批处理帐户的密钥。您可以使用Azure CLI通过以下命令列出密钥:
az批处理帐户密钥列表-g< resource-group -name> -n< batch-account-name>
然后您可以创建凭据参数
var凭证=新批次。SharedKeyCredentials('your-account-name','your-account-key');
如果您想将批处理密钥存储在Key Vault之类的地方,您仍然可以在这里涉及服务主体。 :
- 针对密钥库获取服务主体身份验证以获取名称和密钥
- 使用名称和密钥创建凭据
I'm trying to use a Service Principle to access a Batch pool from an Azure Function and running into authentication issues that I don't understand. The initial login with the Service Principle works fine, but then using the credentials to access the batch pool returns a 401.
Below is a condensed version of my code with comments at the key points
module.exports.dispatch = function (context) {
MsRest.loginWithServicePrincipalSecret('AppId', 'Secret', 'TennantId', function(err, credentials){
if (err) throw err;
// This works as it prints the credentials
context.log(credentials);
var batch_client = new batch.ServiceClient(credentials, accountUrl);
batch_client.pool.get('mycluster', function(error, result){
if(error === null)
{
context.log('Accessed pool');
context.log(result);
}
else
{
//Request to batch service returns a 401
if(error.statusCode === 404)
{
context.log('Pool not found yet returned 404...');
}
else
{
context.log('Error occurred while retrieving pool data');
context.log(error);
}
//'Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly.
context.res = { body: error.body.message.value };
context.done();
}
});
});
};
How can the initial login with a service principle work no problem, but then the credentials it returns not be able to access the batch pool?
The actual error says to check the auth header on the request, which I can see and the Authorisation header isn't even present.
I've triple checked the Active Directory access control for the batch account the App ID and secret are the ones belonging to the owner of the batch account. Any ideas what to try next?
The credentials expected by the Azure Batch npm client aren't the Azure Active Directory credentials/token, but the keys for the batch account. You can list your keys using the Azure CLI with a command like the following:
az batch account keys list -g "<resource-group-name>" -n "<batch-account-name>"
Then you can create the credentials parameter with those keys:
var credentials = new batch.SharedKeyCredentials('your-account-name', 'your-account-key');
You could still involve a Service Principal here if you wanted to store your batch keys in something like Key Vault, but then your code would be:
- Get Service Principal auth against key vault to fetch name and key
- Use name and key to create credentials
这篇关于从Azure功能访问Azure批处理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!