问题描述

编写Powershell Function,登录到China Azure并获取Azure AD User信息,但是发现遇见了 [Error] ERROR: ManagedIdentityCredential authentication failed: An unexpected error occured while fetching the AAD Token. Please contact support with this provided Correlation IdStatus: 500 (Internal Server Error) 。

问题分析

分析错误原因,这是因为Powershell登录时候出现错误,考虑到目前是登录到中国区Azure,所以使用 Connect-AzAccount 登录时,想要指定 -Environment 为 AzureChinaCloud。

而 PowerShell Function App 自动在根目录下添加 profile.ps1 文件, 默认文件内容为:

# Azure Functions profile.ps1

#

# This profile.ps1 will get executed every "cold start" of your Function App.

# "cold start" occurs when:

#

# * A Function App starts up for the very first time

# * A Function App starts up after being de-allocated due to inactivity

#

# You can define helper functions, run commands, or specify environment variables

# NOTE: any variables defined that are not environment variables will get reset after the first execution

# Authenticate with Azure PowerShell using MSI.

# Remove this if you are not planning on using MSI or Azure PowerShell.

if ($env:MSI_SECRET) {

    Disable-AzContextAutosave -Scope Process | Out-Null

    Connect-AzAccount -Identity

}

# Uncomment the next line to enable legacy AzureRm alias in Azure PowerShell.

# Enable-AzureRmAlias

# You can also define functions or aliases that can be referenced in any of your PowerShell functions.

可见,默认的 Connect-AzAccount -Identity中并没有指定 Environment, 所以Function在运行时,会默认连接到Global Azure,所以就会出现 ManagedIdentityCredential authentication failed。

PS: 如果没有启用Managed Identity,则$env:MSI_SECRET为False,不会执行profile.ps1中的代码。

解决方案

在Function App页面中,点击App Service Editor, 修改 profile.ps1 文件。

使用

Connect-AzAccount -Environment AzureChinaCloud -Identity

代替

Connect-AzAccount  -Identity

操作截图如下:

修改后,回到Function --> Code + Test 页面,测试问题消失。

using namespace System.Net

# Input bindings are passed in via param block.

param($Request, $TriggerMetadata)

# Write to the Azure Functions log stream.

Write-Host "PowerShell HTTP trigger function processed a request."

Write-Host $env:MSI_SECRET

# Interact with query parameters or the body of the request.

$name = $Request.Query.Name

if (-not $name) {

    $name = $Request.Body.Name

}

$body = "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response."

if ($name) {

    $body = "Hello, $name. This HTTP triggered function executed successfully."

}

#login in to azure china

Connect-AzAccount -Environment AzureChinaCloud -identity

# get User information

Get-AzADUser -First 2 -Select 'City' -AppendSelected

# Associate values to output bindings by calling 'Push-OutputBinding'.

Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{

    StatusCode = [HttpStatusCode]::OK

    Body = $body

})

注:为了是的Connect-AzAccount成功运行,需要在requirements.psd1中添加 'Az' = '7.*' ,使得Function App的实例安装好Az模块。当然,如果Function中需要其他的Powershell模块,在这里添加即可。

# This file enables modules to be automatically managed by the Functions service.

# See https://aka.ms/functionsmanageddependency for additional information.

#

@{

    # For latest supported version, go to 'https://www.powershellgallery.com/packages/Az'.

    # To use the Az module in your function app, please uncomment the line below.

    'Az' = '7.*'

}

附录一:在中国区Function App中如果没有指定Environment的其他异常有

异常一:anagedIdentityException: Exception thrown when retrieving a token using ADAL library 

Microsoft.Azure.AppService.ManagedIdentity.ManagedIdentityException: Exception thrown when retrieving a token using ADAL library --->

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS500011: The resource principal named

https://management.core.windows.net/ was not found in the tenant named GSKChina. This can happen if the application has not been installed by the

administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace

ID: cdc5ba6d-851a-45f1-a29f-20e608af0700 Correlation ID: af280748-d9f0-4d02-9ce3-ac74dffe0d23 Timestamp: 2022-04-19 09:50:50Z --->

System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (BadRequest). --->

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: {"error":"invalid_resource","error_description":"AADSTS500011: The resource

principal named https://management.core.windows.net/ was not found in the tenant named GSKChina. This can happen if the application has not been

installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the

wrong tenant.\r\n

Trace ID: cdc5ba6d-851a-45f1-a29f-20e608af0700\r\n

Correlation ID: af280748-d9f0-4d02-9ce3-ac74dffe0d23\r\n

Timestamp: 2022-04-19 09:50:50Z",

"error_codes":[500011],

"timestamp":"2022-04-19 09:50:50Z",

"trace_id":"cdc5ba6d-851a-45f1-a29f-20e608af0700",

"correlation_id":"af280748-d9f0-4d02-9ce3-ac74dffe0d23",

"error_uri":"https://login.partner.microsoftonline.cn/error?code=500011"}:

Unknown error --- End of inner exception stack trace ---

--- End of inner exception stack trace

--- at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient.d__22`1.MoveNext()

--- End of stack trace from previous location where exception was thrown

--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient.d__21`1.MoveNext()

--- End of stack trace from previous location where exception was thrown

--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.d__72.MoveNext()

--- End of stack trace from previous location where exception was thrown

--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.d__69.MoveNext()

--- End of stack trace from previous location where exception was thrown

--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.d__59.MoveNext()

--- End of stack trace from previous location where exception was thrown

--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.d__57.MoveNext()

--- End of stack trace from previous location where exception was thrown

--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__33.MoveNext()

--- End of stack trace from previous location where exception was thrown

--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.d__58.MoveNext()

--- End of stack trace from previous location where exception was thrown

--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.AppService.ManagedIdentity.Clients.AdalClient.d__2.MoveNext()

--- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.AppService.ManagedIdentity.Clients.AdalClient.d__0.MoveNext()

--- End of inner exception stack trace

--- at Microsoft.Azure.AppService.ManagedIdentity.Clients.AdalClient.d__0.MoveNext()

--- End of stack trace from previous location where exception was thrown

--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.AppService.ManagedIdentity.AadProvider.d__11.MoveNext()

--- End of stack trace from previous location where exception was thrown

--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at

 Microsoft.Azure.AppService.ManagedIdentity.AadProvider.GetAuthToken(String tenantId, String clientId, String secretUrl, String resource, X509Certificate2 cert, IManagedIdentityLogger logger, Boolean bypassCache, String authenticationEndpoint) at

 Microsoft.Azure.AppService.TokenService.Controllers.TokenRequestServer.GetTokenV10(ITokenServiceHttpRequest tokenRequest)

异常二:ManagedIdentityCredential authentication failed: An unexpected error occured while fetching the AAD Token.

2022-04-19T15:05:56.059 [Warning] WARNING: Unable to acquire token for tenant 'organizations' with error 'ManagedIdentityCredential authentication failed: 
An unexpected error occured while fetching the AAD Token. Please contact support with this provided Correlation Id
Status: 500 (Internal Server Error)Headers:Date: Tue, 19 Apr 2022 15:05:55 GMTContent-Length: 200
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot'

2022-04-19T15:05:56.847 [Error] ERROR: ManagedIdentityCredential authentication failed: 
An unexpected error occured while fetching the AAD Token. Please contact support with this provided Correlation Id
Status: 500 (Internal Server Error)Headers:Date: Tue, 19 Apr 2022 15:05:55 GMTContent-Length: 200
See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshootException

参考资料

Get-AzADUser : https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azaduser?view=azps-7.4.0

【Azure 应用服务】Azure Function 启用 Managed Identity后, Powershell Funciton出现 ERROR: ManagedIdentityCredential authentication failed的更多相关文章

  1. 【Azure 应用服务】Azure Function HTTP 触发后, 230秒就超时。而其他方式触发的Function, 执行5分钟后也超时,如何调整超时时间?

    问题描述 Azure Function HTTP 触发后, 230秒就超时,而其他方式触发的Function, 执行5分钟后也超时,如何调整超时时间? 问题分析 查阅官方文档,对函数应用超时持续时间有 ...

  2. 【Azure 应用服务】App Service/Azure Function的出站连接过多而引起了SNAT端口耗尽,导致一些新的请求出现超时错误(Timeout)

    问题描述 当需要在应用中有大量的出站连接时候,就会涉及到SNAT(源地址网络转换)耗尽的问题.而通过Azure App Service/Function的默认监控指标图表中,却没有可以直接查看到SNA ...

  3. 【Azure 应用服务】App Service .NET Core项目在Program.cs中自定义添加的logger.LogInformation,部署到App Service上后日志不显示Log Stream中的问题

    问题描述 在.Net Core 5.0 项目中,添加 Microsoft.Extensions.Logging.AzureAppServices 和 Microsoft.Extensions.Logg ...

  4. 【Azure 应用服务】部署Kafka Trigger Function到Azure Function服务中,解决自定义域名解析难题

    问题描述 经过前两篇文章,分别使用VM搭建了Kafka服务,创建了Azure Function项目,并且都在本地运行成功. [Azure Developer]在Azure VM (Windows) 中 ...

  5. 【Azure 应用服务】App Service For Linux 部署Java Spring Boot应用后,查看日志文件时的疑惑

    编写Java Spring Boot应用,通过配置logging.path路径把日志输出在指定的文件夹中. 第一步:通过VS Code创建一个空的Spring Boot项目 第二步:在applicat ...

  6. 【Azure 应用服务】App Service 开启了私有终结点(Private Endpoint)模式后,如何来实现公网Git部署呢?

    问题描述 因为中国区的App Service对外(公网访问)需要进行ICP备案,所以很多情况下,Web应用部署到App Service后,都是通过Application Gateway(应用程序网关) ...

  7. 【Azure 应用服务】NodeJS Express + MSAL 实现API应用Token认证(AAD OAuth2 idToken)的认证实验 -- passport.authenticate('oauth-bearer', {session: false})

    问题描述 在前两篇博文中,对NodeJS Express应用 使用MSAL + AAD实现用户登录并获取用户信息,获取Authorization信息 ( ID Token, Access Token) ...

  8. Azure 应用服务中的 API 应用、ASP.NET 和 Swagger 入门

    学习内容: 如何通过 Visual Studio 2015 中的内置工具在 Azure 应用服务中创建和部署 API 应用. 如何使用 Swashbuckle NuGet 包动态生成 Swagger ...

  9. 为 Azure 应用服务配置连续部署工作流

    本快速入门介绍了如何将应用服务 GitHub 集成以实现连续部署工作流.在本教程中完成的所有操作均符合1元试用条件. 本快速入门介绍了如何将应用服务 GitHub 集成以实现连续部署工作流.在本教程中 ...

随机推荐

  1. 通过PROFINET网络实现SINAMICS 120的PN IO OPC通讯,起动及调速控制 | OPC通讯

    1 概述 TCP/IP 通讯的传输时间可能太长,并且该时间具有不确定性,无法满足生产自动化领域的要求.因此,在进行时间要求苛刻的IO 有效载荷数据通讯时,PROFINET IO 不使用TCP/IP,而 ...

  2. springboot常用的starter有哪些?

    spring-boot-starter-web 嵌入tomcat和web开发需要servlet与jsp支持 spring-boot-starter-data-jpa 数据库支持 spring-boot ...

  3. Oracle入门基础(三)一一单行函数

    SQL> --字符函数 SQL> select lower('Hello World') 转小写,upper('Hello World') 转大写,initcap('hello world ...

  4. SpringBoot集成ArtemisMQ,设置动态消息类型

    SpringBoot项目集成ArtemisMQ,那么想动态的更换消息类型,怎么办呢? 通过设置org.springframework.jms.support.destination.JmsDestin ...

  5. JdbcTemplate ?

    JdbcTemplate 类提供了很多便利的方法解决诸如把数据库数据转变成基本数据 类型或对象,执行写好的或可调用的数据库操作语句,提供自定义的数据错误处 理.

  6. 转载:23种常用设计模式的UML类图

    转载至:https://www.cnblogs.com/zytrue/p/8484806.html 23种常用设计模式的UML类图 本文UML类图参考<Head First 设计模式>(源 ...

  7. Java 中堆和栈有什么区别?

    JVM 中堆和栈属于不同的内存区域,使用目的也不同.栈常用于保存方法帧和局 部变量,而对象总是在堆上分配.栈通常都比堆小,也不会在多个线程之间共享, 而堆被整个 JVM 的所有线程共享.

  8. 为什么需要域驱动设计DDD?

    我们需要 DDD 的因素 – 微服务面试问题

  9. 创建Maven web工程

    ---恢复内容开始--- 第一步,启动Eclipse,依次打开菜单[File][New][Other] 找到目录Maven,选择Maven Project, 选择一个Archetype.这里创建Web ...

  10. SpirngMVC源码分析

    分析过程 通过 前端控制器源码 分析 SpringMVC 的执行过程 前端控制器在 web.xml 文件中的配置 <!-- springmvc 前端控制器 --> <servlet& ...