我在 Azure 中有一个使用 AKS 预览版的 k8s 集群。
我还在虚拟机上启用了 MSI。如果我通过 ssh 连接到虚拟机,我可以看到 MSI 服务正在运行:
curl http://localhost:50342/oauth2/token --data "resource=https://vault.azure.net" -H Metadata:true
我收到的回复符合您根据文档所期望的内容。
但是,我无法弄清楚如何让我的 aspnet core 应用程序根据需要使用 AzureServiceTokenProvider。在本地它可以工作,一旦部署在 kubernetes 的 pod 内,它就无法找到所需的授权。
我得到的错误是:
Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/9d93c307-6856-4bab-8fa9-99690e0fabaf. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/9d93c307-6856-4bab-8fa9-99690e0fabaf. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/9d93c307-6856-4bab-8fa9-99690e0fabaf. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/9d93c307-6856-4bab-8fa9-99690e0fabaf. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory ```
有人能够使用类似的代码从 Pod 中的 KeyVault 中读取数据吗?
AzureServiceTokenProvider azureServiceTokenProvider = new
AzureServiceTokenProvider();
KVC = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var baseUrl = config.GetValue<string>("Azure:VaultURL");
var secretLocation = config.GetValue<string>("Azure:SecretLocation");
location = $"{baseUrl}{secretLocation}";
KVC.GetSecretAsync(location).Result.Value;
最佳答案
您熟悉 AAD Pod Identity 吗? https://github.com/Azure/aad-pod-identity 。我们一直在企业环境和用户分配的身份(而不是 MSI)中处理此问题。
此方法不能解决您的 MSI 问题,但它确实提供了一种可以解决您的根本问题的替代方案。
关于c# - 无法在 Azure 上将 MSI 与 AKS 结合使用,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49061349/