无法使用App Service上的Azure MSI访问Key Vault [英] Unable to get access to Key Vault using Azure MSI on App Service

问题描述

我已在App Service上启用了托管服务身份.但是，我的WebJobs似乎无法访问密钥.

I have enabled Managed Service Identities on an App Service. However, my WebJobs seem unable to access the keys.

他们报告:

Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. password_required_for_managed_user: Password is required for managed user Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,

Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. password_required_for_managed_user: Password is required for managed user Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,

工藤不显示任何MSI_环境变量.

Kudo does not show any MSI_ environmental variables.

这应该如何工作?这是现有的应用服务计划.

How is this supposed to work? This is an existing App Service Plan.

推荐答案

我发现，如果启用MSI，然后换出插槽，则功能会随着插槽更改而消失.您可以通过将其关闭然后重新打开来重新启用它，但这将在AD中创建一个新的身份，并且需要您重置对密钥库的许可才能使其正常工作.

I've found out that if you enable MSI and then swap out the slot, the functionality leaves with the slot change. You can re-enable it by switching it off and on again but that will create a new identity in AD and will require you to reset permissions on the key vault for it to work.

这篇关于无法使用App Service上的Azure MSI访问Key Vault的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！