启用托管身份后，Azure App Service停止工作 [英] Azure App Service stops working after enabling Managed Identity

问题描述

我已经在Azure App Services中部署了一个Docker容器.我有一个可以调用的公共API，该API返回"Hello world".

I've deployed a Docker container in Azure App Services. I have a public API that I can call, which returns "Hello world".

我想在我的应用程序中使用Azure托管身份，因此我在Azure门户中启用了它.我按照此文档启用了分配的系统": https://docs.microsoft.com/zh-cn/azure/app-service/overview-managed-identity?tabs=dotnet

I would like to use Azure Managed Identity in my app, so I enabled it in Azure portal. I enabled the "System assigned" one, following this documentation: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet

启用托管身份后，我的Web应用程序停止工作.重新启动它没有帮助.禁用托管身份即可解决此问题.

After enabling the Managed Identity, my web app stops working. Restarting it doesn't help. Disabling the Managed identity fixes it.

如果我尝试调用我的API，则会收到错误消息:":(应用错误如果您是应用程序管理员，则可以访问诊断资源."

If I try to call my API I get an error: ":( Application Error If you are the application administrator, you can access the diagnostic resources."

不仅仅是我的API，而是整个应用程序停止运行.如果我尝试导航到 https://[myApp] .azurewebsites.net ，则会收到相同的错误.如果没有托管身份，导航到该地址时会显示找不到404页".

It's not just my API, it's the whole application that stops working. If I try to navigate to https://[myApp].azurewebsites.net I get the same error. Without Managed Identity, I get "404 page not found" when navigating to this address.

有人遇到过这个吗?如何解决?

Has anyone encountered this? How to fix it?

更新:我无法使用示例静态站点"容器来重现它，因此它必须与我们部署的容器相关.但是我不知道是什么原因造成的-启用托管身份会以某种方式更改(减少)应用程序可以执行的操作吗?

Update: I could not reproduce it with the sample "Static site" container, so it has to be somehow related to the container that we deploy. But I don't understand what could cause it - does enabling the Managed Identity somehow change (reduce) things that the app can do?

更新2::该容器包含一个Go应用程序，该应用程序使用Azure SDK进行AAD身份验证.在我们看来，如果启用了托管身份，此身份验证尝试会使整个应用程序在启动过程中崩溃.我们的目的是使用托管身份从Azure Key Vault中获取秘密.然后使用此机密向AAD进行身份验证.现在，我们的应用程序甚至没有尝试与Managed Identity服务对话.

Update 2: The container contains a Go application that uses Azure SDK to authenticate with AAD. It seems to us that this authentication attempt makes the whole app crash during startup, if Managed Identity is enabled. Our intention is to get a secret from Azure Key Vault, using Managed Identity. Then use this secret to authenticate with AAD. Right now our app doesn't even attempt to talk with the Managed Identity service.

推荐答案

将评论汇总为答复，以便其他人更清楚地找到解决方案.

Summarize comment into reply to let others more clear to find solution.

当我们将 MSI_SECRET 定义为空白(存在，但为空白；不存在就可以了)时，SDK崩溃.

The moment we define MSI_SECRET as blank (existing, but blank; nonexistent is fine), the SDK crashes.

因此，请定义在KUDU环境中显示的 MSI_SECRET 值.

So define the MSI_SECRET value as it is show in KUDU environment.

这篇关于启用托管身份后，Azure App Service停止工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！