我正在尝试使用 azure batch 的系统分配托管标识来访问 Azure Key Vault。我在网上找到了一些代码,但我不知道这是否可行,或者证书路由是唯一的可能性。我为批处理帐户启用了托管标识并将其添加到 keystore 中。但是,当我尝试从批处理池中的 python sdk 获取托管标识时,它失败了,我无法连接到 keystore 。
我已经尝试了旧的 azure-keyvault 包(1.1.0 版)和更新的 4.0 版。
这是使用旧的 key vault 包,它给出了 HTTPRequest 错误:
from azure.keyvault import KeyVaultClient
from msrestazure.azure_active_directory import MSIAuthentication
credentials = MSIAuthentication(resource='https://vault.azure.net')
kvclient = KeyVaultClient(credentials)
res = kvclient.get_secret("https://kv.vault.azure.net/", "secret", "").value
对于较新的 azure keyvault 包,我使用了这个:
import os
import cmd
from azure.keyvault.secrets import SecretClient
from azure.identity import ManagedIdentityCredential
keyVaultName = "kv"
KVUri = f"https://{keyVaultName}.vault.azure.net"
credential = DefaultAzureCredential()
client = SecretClient(vault_url=KVUri, credential=credential)
secretName = "secret"
retrieved_secret = client.get_secret(secretName)
但它找不到 ManagedIdentityCredential。这是错误的一部分:
SharedTokenCacheCredential.get_token failed: Shared token cache unavailable
VisualStudioCodeCredential.get_token failed: Failed to get Azure user details from Visual Studio Code.
AzureCliCredential.get_token failed: Please run 'az login' to set up an account
DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential: ManagedIdentityCredential authentication unavailable. No identity has been assigned to this resource.
SharedTokenCacheCredential: Shared token cache unavailable
VisualStudioCodeCredential: Failed to get Azure user details from Visual Studio Code.
AzureCliCredential: Please run 'az login' to set up an account
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
最佳答案
2021-02-17 更新答案:
Batch 池上的托管身份现已在选定区域提供公共(public)预览版。请看this doc .
原答案:
目前不支持此方案。请阅读documentation关于此功能以及在文档底部解决它的特定常见问题解答项目。
另请参阅 UserVoice request .
关于python - 使用 Azure Batch 中的托管标识在批处理池中使用 Python 通过 Key Vault 进行身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/63965005/