使用@azure/identity访问密钥保管库并获取错误';请求缺少承载或PoP令牌错误401';
我试图从Azure的keyvault中检索一些机密,但我似乎无法使用@Azure/identity module进行身份验证 版本:使用@azure/identity访问密钥保管库并获取错误';请求缺少承载或PoP令牌错误401';,azure,azure-active-directory,azure-functions,azure-keyvault,azure-sdk,Azure,Azure Active Directory,Azure Functions,Azure Keyvault,Azure Sdk,我试图从Azure的keyvault中检索一些机密,但我似乎无法使用@Azure/identity module进行身份验证 版本: "@azure/identity": "^1.0.0-preview.6", "@azure/keyvault-secrets": "^4.0.0-preview.9", 我有一个azure functions应用程序,我已经在生产和本地使用local.settings.json配置了该应用程序,并为以下内容填写了正确的值: { "IsEncrypted
"@azure/identity": "^1.0.0-preview.6",
"@azure/keyvault-secrets": "^4.0.0-preview.9",
我有一个azure functions应用程序,我已经在生产和本地使用local.settings.json
配置了该应用程序,并为以下内容填写了正确的值:
{
"IsEncrypted": false,
"Values": {
"AZURE_CLIENT_ID": "REDACTED",
"AZURE_CLIENT_SECRET": "REDACTED",
"AZIRE_TENANT_ID": "REDACTED"
},
"ConnectionStrings": {}
}
- 通过Azure Active Directory注册的应用=>应用注册
- 禁用登录
- 已创建应用程序机密
import { KeyVaultSecret, SecretClient } from '@azure/keyvault-secrets';
import { EnvironmentCredential } from '@azure/identity';
export const GetSecret = async (key: string): Promise<string> => {
try {
const credential: EnvironmentCredential = new EnvironmentCredential();
console.log('CREDENTIAL: ', credential);
console.log('CLIENT SECRET', process.env.AZURE_CLIENT_SECRET);
console.log('CLIENT ID', process.env.AZURE_CLIENT_ID);
const url = 'https://tlabs-vault.vault.azure.net';
const client = new SecretClient(url, credential);
let secret: KeyVaultSecret = await client.getSecret(key);
return secret.value;
} catch (err) {
console.error('Error getting secret from Azure Vault', err);
}
};
以及引发错误的完整请求:
request:
[10/28/2019 1:14:16 PM] WebResource {
[10/28/2019 1:14:16 PM] streamResponseBody: false,
[10/28/2019 1:14:16 PM] url:
[10/28/2019 1:14:16 PM] 'https://REDACTED_VAULT_NAME.vault.azure.net/secrets/REDACTED_SECRET_NAME/?api-version=7.0',
[10/28/2019 1:14:16 PM] method: 'GET',
[10/28/2019 1:14:16 PM] headers: HttpHeaders { _headersMap: [Object] },
[10/28/2019 1:14:16 PM] body: undefined,
[10/28/2019 1:14:16 PM] query: undefined,
[10/28/2019 1:14:16 PM] formData: undefined,
[10/28/2019 1:14:16 PM] withCredentials: false,
[10/28/2019 1:14:16 PM] abortSignal: undefined,
[10/28/2019 1:14:16 PM] timeout: 0,
[10/28/2019 1:14:16 PM] onUploadProgress: undefined,
[10/28/2019 1:14:16 PM] onDownloadProgress: undefined,
[10/28/2019 1:14:16 PM] proxySettings: undefined,
[10/28/2019 1:14:16 PM] keepAlive: true,
[10/28/2019 1:14:16 PM] operationSpec:
[10/28/2019 1:14:16 PM] { httpMethod: 'GET',
[10/28/2019 1:14:16 PM] path: 'secrets/{secret-name}/{secret-version}',
[10/28/2019 1:14:16 PM] urlParameters: [Array],
[10/28/2019 1:14:16 PM] queryParameters: [Array],
[10/28/2019 1:14:16 PM] responses: [Object],
[10/28/2019 1:14:16 PM] serializer: [Serializer] } },
[10/28/2019 1:14:16 PM] response:
[10/28/2019 1:14:16 PM] { body:
[10/28/2019 1:14:16 PM] '{"error":{"code":"Unauthorized","message":"Request is missing a Bearer or PoP token."}}',
[10/28/2019 1:14:16 PM] headers: HttpHeaders { _headersMap: [Object] },
[10/28/2019 1:14:16 PM] status: 401,
[10/28/2019 1:14:16 PM] parsedBody: { error: [Object] } },
[10/28/2019 1:14:16 PM] details:
[10/28/2019 1:14:16 PM] { error:
[10/28/2019 1:14:16 PM] { code: 'Unauthorized',
[10/28/2019 1:14:16 PM] message: 'Request is missing a Bearer or PoP token.' } } }
请关注这个博客,了解如何使用它 主要步骤是
为功能应用启用系统授权的托管身份
和为功能应用添加密钥库访问策略
在这些操作之后,不要忘记在函数应用程序配置中使用@Microsoft.KeyVault(SecretUri={用户名密码的复制标识符})
添加密钥库密码引用。如果设置正确,配置后将显示下图
下面是我的测试结果,我使用os.environ[name]
来获取秘密
有关此问题的任何更新,您现在可以使用key vault吗?@GeorgeChen嗨George,我已经制作了一个关于此问题的github线程,其中链接了我在该问题上制作的两个线程。问题是租户ID属性丢失(拼写错误),并且只有在我使用“ClientSecretCredential”方法时,它才提供有意义的错误消息。我确实需要在RBAC之上添加一个访问策略,但是它提供了一个有意义的错误消息,所以很容易识别。
request:
[10/28/2019 1:14:16 PM] WebResource {
[10/28/2019 1:14:16 PM] streamResponseBody: false,
[10/28/2019 1:14:16 PM] url:
[10/28/2019 1:14:16 PM] 'https://REDACTED_VAULT_NAME.vault.azure.net/secrets/REDACTED_SECRET_NAME/?api-version=7.0',
[10/28/2019 1:14:16 PM] method: 'GET',
[10/28/2019 1:14:16 PM] headers: HttpHeaders { _headersMap: [Object] },
[10/28/2019 1:14:16 PM] body: undefined,
[10/28/2019 1:14:16 PM] query: undefined,
[10/28/2019 1:14:16 PM] formData: undefined,
[10/28/2019 1:14:16 PM] withCredentials: false,
[10/28/2019 1:14:16 PM] abortSignal: undefined,
[10/28/2019 1:14:16 PM] timeout: 0,
[10/28/2019 1:14:16 PM] onUploadProgress: undefined,
[10/28/2019 1:14:16 PM] onDownloadProgress: undefined,
[10/28/2019 1:14:16 PM] proxySettings: undefined,
[10/28/2019 1:14:16 PM] keepAlive: true,
[10/28/2019 1:14:16 PM] operationSpec:
[10/28/2019 1:14:16 PM] { httpMethod: 'GET',
[10/28/2019 1:14:16 PM] path: 'secrets/{secret-name}/{secret-version}',
[10/28/2019 1:14:16 PM] urlParameters: [Array],
[10/28/2019 1:14:16 PM] queryParameters: [Array],
[10/28/2019 1:14:16 PM] responses: [Object],
[10/28/2019 1:14:16 PM] serializer: [Serializer] } },
[10/28/2019 1:14:16 PM] response:
[10/28/2019 1:14:16 PM] { body:
[10/28/2019 1:14:16 PM] '{"error":{"code":"Unauthorized","message":"Request is missing a Bearer or PoP token."}}',
[10/28/2019 1:14:16 PM] headers: HttpHeaders { _headersMap: [Object] },
[10/28/2019 1:14:16 PM] status: 401,
[10/28/2019 1:14:16 PM] parsedBody: { error: [Object] } },
[10/28/2019 1:14:16 PM] details:
[10/28/2019 1:14:16 PM] { error:
[10/28/2019 1:14:16 PM] { code: 'Unauthorized',
[10/28/2019 1:14:16 PM] message: 'Request is missing a Bearer or PoP token.' } } }