c# - DefaultAzureCredential 对于 AzureAppConfiguration 失败，但在本地运行时适用于 SecretClient

Question

我正在尝试对 Azure Key Vault 和 Azure App Config 使用托管标识。

当我部署到 Azure 应用服务时，以下代码有效 - 但当我在本地运行时，SecretClient 代码成功，而 AppConfig 代码失败。

对于我的 KeyVault，我尝试使用Vault 访问策略和 RBAC - 两者都有效。我将自己和应用服务添加为Key Vault Secrets User角色。

对于我的 AppConfig，我已将自己添加到 RBAC 作为应用配置数据所有者，并将我的应用服务作为应用配置数据读取者。请注意，应用服务可以成功配置并读取此内容，但是当我在本地运行它时，我会收到各种错误，具体取决于我的尝试:

调用 AddAzureAppConfiguration 时出现以下异常:

Process "C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\Extensions\lybeojxv.4oe\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token. 'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '{GuidHidden}'(Visual Studio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

我在 Azure AD 中的帐户已作为外部用户添加到租户 my_email_com#EXT#@mycompany.onmicrosoft.com，尽管 guest 和成员的 Azure AD 模型极其令人困惑。

我尝试退出并再次登录，但无济于事。我不知道为什么它说我的用户需要作为外部用户添加到租户，而它似乎已经是这样。 有人有什么建议吗？

我的完整代码如下:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var builder = WebApplication.CreateBuilder();

// Azure KeyVault - succeeds locally and for Azure AppService
var keyVaultUri = "https://{MYVAULT}.vault.azure.net/";
var client = new SecretClient(new Uri(keyVaultUri), new DefaultAzureCredential());
var testSecret = client.GetSecret("secretTest").Value.Value;

// Azure AppConfig
var appConfigUri = "https://{MYCONFIG}.azconfig.io/";
// The following code fails when run locally:
builder.Configuration.AddAzureAppConfiguration(options =>
    options.Connect(new Uri(appConfigUri), new DefaultAzureCredential()));

var app = builder.Build();
var testConfig = app.Configuration["testConfig"];

app.MapGet("/", () => $"secret: {testSecret}, appConfig: {testConfig}");
app.Run();

Answer 1

我今天再次尝试，但出现了略有不同的错误:

Azure.Identity.CredentialUnavailableException: 'DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot

• EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
• ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.
• Process "C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\Extensions\lybeojxv.4oe\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token. 'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '872cd9fa-d31f-45e0-9eab-6e460a02d1f1'(Visual Studio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. Trace ID: c265dbc1-6bfc-495c-b633-d79b609beb00 Correlation ID: 773c8fe6-fc1b-4afb-9e85-82208ded72d2 Timestamp: 2022-06-16 00:48:03Z'.
• Stored credentials not found. Need to authenticate user in VSCode Azure Account. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/vscodecredential/troubleshoot > - Please run 'az login' to set up account
• PowerShell is not installed.'

所以我打开 powershell 并运行命令:

az login

它启动了浏览器，并且我已经登录了。然后当我在本地再次尝试时，它成功了!

很奇怪，SecretClient 不需要 powershell az login 但 AppConfig 需要...

而且我也不确定自昨天以来发生了什么变化给我带来了不同类型的错误。 Azure 有时是一头善变的野兽。