从Azure VM连接到KeyVault时发生异常

本文介绍了从Azure VM连接到KeyVault时发生异常的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在从Azure VM运行我的应用程序，并尝试与KeyVault连接.但是我遇到了异常

I am running my applictaion from Azure VM and trying to connect with KeyVault. But I am getting below exception

参数:连接字符串:[未指定连接字符串]，资源: https://vault.azure.net ，权限: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a .异常消息:尝试了以下三种方法来获取访问令牌，但没有一种有效.

参数:连接字符串:[未指定连接字符串]，资源: https://vault.azure.net ，权限: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a .异常消息:尝试使用托管服务标识获取令牌.无法连接到托管服务标识(MSI)端点.请检查您是否正在运行具有MSI安装程序的Azure资源.

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.

参数:连接字符串:[未指定连接字符串]，资源: https://vault.azure.net ，权限: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a .异常消息:尝试使用Visual Studio获取令牌.无法获取访问令牌.Visual Studio令牌提供者Microsoft.Asal.TokenService.exe的异常:TS003:错误，TS001:此帐户用户名"需要重新认证.请转到工具"->"Azure Services身份验证"，然后重新验证您要使用的帐户.

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired.Exception for Visual Studio token provider Microsoft.Asal.TokenService.exe : TS003: Error, TS001: This account 'username' needs re-authentication. Please go to Tools->Azure Services Authentication, and re-authenticate the account you want to use.

参数:连接字符串:[未指定连接字符串]，资源: https://vault.azure.net ，权限: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a .异常消息:尝试使用Azure CLI获取令牌.无法获取访问令牌.无法将"az"识别为内部或外部命令，可操作的程序或批处理文件.

我已经检查了先决条件，例如-1.在VM的相同资源组中创建KeyVault，并添加2个机密.2.检查该VM是否已在Active Directory中注册，并且它具有系统分配的标识.3.添加了允许读取和列出VM机密的访问策略.

I have checked the prerequisite such as - 1. created the KeyVault in the same resource group of the VM and added 2 secrets. 2. checked that the VM is registered in Active Directory and that it has a system assigned identity. 3. added access policy allowing read and list secrets to the VM.

这里是代码，我想念的是

Here is the code, What I am missing

public void ConfigureServices(IServiceCollection services)
        {
         services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

            var secret = keyVaultClient.GetSecretAsync($"https://vaultname.vault.azure.net/Secrets/connString").Result.Value;

推荐答案

错误表示身份验证问题，因此需要按顺序验证2件事；

Errors are indicating authentication issue, so 2 things to validate in order;

确认VM可以查询Azure元数据服务

Invoke-RestMethod -Headers @{"Metadata"="true"} -URI "http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-08-01&format=text" -Method get`

如果以上查询成功，则检查元数据服务上的Identity API，但如果失败，则VM与Azure环境之间存在通信问题.

If above query is successful then check the Identity API on the metadata service but if it fails then there is a communication issue between VM and Azure environment.

确认VM可以查询Azure元数据服务的Identity API

Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -Headers @{Metadata="true"}

如果以上查询成功，则表明MSI没有问题.

If above query is successful then there is nothing wrong with MSI.

这篇关于从Azure VM连接到KeyVault时发生异常的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！