【Azure Developer】解决Azure Key Vault管理Storage的示例代码在中国区Azure遇见的各种认证/授权问题 - C# Example Code

简介: 【Azure Developer】解决Azure Key Vault管理Storage的示例代码在中国区Azure遇见的各种认证/授权问题 - C# Example Code

问题描述

使用Azure密钥保管库(Key Vault)来托管存储账号(Storage Account)密钥的示例中,从Github中下载的示例代码在中国区Azure运行时候会遇见各种认证和授权问题,以下列举出运行代码中遇见的各种异常:

  1. "AADSTS90002: Tenant 'xxxxxxxx-66d7-xxxx-8f9f-xxxxxxxxxxxx' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.
  2. Microsoft.Rest.Azure.CloudException |  HResult=0x80131500 |  Message=The subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' could not be found. |  Source=Microsoft.Azure.Management.KeyVault
  3. The client 'xxxxxxxx-e256-xxxx-8ef8-xxxxxxxxxxxx' with object id 'xxxxxxxx-e256-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/dev-service-rg/providers/Microsoft.KeyVault/vaults/<youkeyvaultname>' or the scope is invalid. If access was recently granted, please refresh your credentials.
  4. Unexpected exception encountered: AADSTS700016: Application with identifier '54d5b1e9-5f5c-48f1-8483-d72471cbe7e7' was not found in the directory 'xxxxxxxx-66d7-xxxx-8f9f-xxxxxxxxxxxx'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
  5. {"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: 57169df7-d54d-4533-b6cf-fc269ee93f00\r\nCorrelation ID: 33fb61c4-7266-4690-bb8d-4d4ebb5614f5\r\nTimestamp: 2021-01-19 02:44:50Z"}
  6. AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. |Trace ID: cbfb3d00-a3e5-445e-96b3-918a94054100 |Correlation ID: 40964a5f-e267-43da-988a-00bf33fa7ad4 |Timestamp: 2021-01-19 03:16:38Z

 

以上错误就是在调试Key vault dotnet managed storage代码的过程(https://github.com/Azure-Samples/key-vault-dotnet-managed-storage)中遇见的错误。下面我们一一的解决以上错误并使得程序成功运行:

 

调试代码

首先通过Github下载代码并在Azure环境中准备好AAD,Key Vault,Storage Account。

PS: 获取AAD中注册应用的相应配置值,可以参考博文

【Azure Developer】使用Postman获取Azure AD中注册应用程序的授权Token,及为Azure REST API设置Authorization

【Azure Developer】Python代码通过AAD认证访问微软Azure密钥保管库(Azure Key Vault)中机密信息(Secret)

 

第一个错误:"AADSTS90002: Tenant 'xxxxxxxx-66d7-xxxx-8f9f-xxxxxxxxxxxx' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.

这是因为代码默认是连接到Global Azure的AAD环境,所以认证的时候会把app.config中的tenant值在Global Azure AAD中查找。而我们在项目中配置的Tenant是中国区Azure的,所以出现not found的提示。 只需要在代码中指定AAD的环境中Azure China即可解决该问题。

  • ClientContext.cs文件中 修改GetServiceCredentialsAsync方法ActiveDirectoryServiceSettings.AzureActiveDirectoryServiceSettings.AzureChina
/// <summary>
        /// Returns a task representing the attempt to log in to Azure public as the specified
        /// service principal, with the specified credential.
        /// </summary>
        /// <param name="certificateThumbprint"></param>
        /// <returns></returns>
        public static Task<ServiceClientCredentials> GetServiceCredentialsAsync(string tenantId, string applicationId, string appSecret)
        {
            if (_servicePrincipalCredential == null)
            {
                _servicePrincipalCredential = new ClientCredential(applicationId, appSecret);
            }
            //Update the Azure to Azure China
            return ApplicationTokenProvider.LoginSilentAsync(
                tenantId,
                _servicePrincipalCredential,
                ActiveDirectoryServiceSettings.AzureChina,
                TokenCache.DefaultShared);
        }

 

第二个错误:Microsoft.Rest.Azure.CloudException |  HResult=0x80131500 |  Message=The subscription 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' could not be found. |  Source=Microsoft.Azure.Management.KeyVault

这个错误的原因为在Azure Management KeyVault对象中找不到我们在项目中配置的订阅信息。在Debug代码时候才发现,KeyVaultManagementClient对象默认的URL也是指向Global Azure。中国区的Key Vault Management的URL为https://management.chinacloudapi.cn, 与Global不同。需要在KeyVaultSampleBase.cs代码中设定ManagementClient.BaseUri = new Uri("https://management.chinacloudapi.cn"); 即可。


private void InstantiateSample(string tenantId, string appId, string appSecret, string subscriptionId, string resourceGroupName, string vaultLocation, string vaultName, string storageAccountName, string storageAccountResourceId)
        {
            context = ClientContext.Build(tenantId, appId, appSecret, subscriptionId, resourceGroupName, vaultLocation, vaultName, storageAccountName, storageAccountResourceId);
            // log in with as the specified service principal for vault management operations
            var serviceCredentials = Task.Run(() => ClientContext.GetServiceCredentialsAsync(tenantId, appId, appSecret)).ConfigureAwait(true).GetAwaiter().GetResult();
// instantiate the management client
            ManagementClient = new KeyVaultManagementClient(serviceCredentials);
            ManagementClient.BaseUri = new Uri("https://management.chinacloudapi.cn");
            ManagementClient.SubscriptionId = subscriptionId;
            // instantiate the data client, specifying the user-based access token retrieval callback
            DataClient = new KeyVaultClient(ClientContext.AcquireUserAccessTokenAsync);
        }

 

第三个错误:The client 'xxxxxxxx-e256-xxxx-8ef8-xxxxxxxxxxxx' with object id 'xxxxxxxx-e256-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/dev-service-rg/providers/Microsoft.KeyVault/vaults/<youkeyvaultname>' or the scope is invalid. If access was recently granted, please refresh your credentials.

 

在通过代码获取Key Vault Management对象时候,由于程序当前使用的AAD注册应用没有被授予Key Vault的操作权限,所以出现does not have authorization to perform action 'Microsoft.KeyVault/vaults/read' 。通过到Key Vault的门户中为AAD应用分配权限即可解决此问题。

  • Key Vault Portal -> Access Control(IAM) -> Add Role Assignment.

 

第四个错误:Unexpected exception encountered: AADSTS700016: Application with identifier '54d5b1e9-5f5c-48f1-8483-d72471cbe7e7' was not found in the directory 'xxxxxxxx-66d7-xxxx-8f9f-xxxxxxxxxxxx'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.

这个错误很迷惑,因为identifier “54d5b1e9-5f5c-48f1-8483-d72471cbe7e7”并不包含在配置中,它是如何产生的呢? 在全局查看项目文件后,发现它是代码中hardcode的一个值。需要在使用时候把替换为app.config中的application id。

  • SampleConstants.cs文件中的WellKnownClientId
public static string WellKnownClientId
        {
            // Native AD app id with permissions in the subscription
            // Consider fetching it from configuration.
            get
            {
                return "54d5b1e9-5f5c-48f1-8483-d72471cbe7e7";
            }
        }

  • ClientContext.cs文件中使用ConfigurationManager.AppSettings[SampleConstants.ConfigKeys.VaultMgmtAppId]替换WellKnownClientId
public static async Task<string> AcquireUserAccessTokenAsync(string authority, string resource, string scope)
        {
            var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
            if (_deviceCodeResponse == null)
            {
                //_deviceCodeResponse = await context.AcquireDeviceCodeAsync(resource, SampleConstants.WellKnownClientId).ConfigureAwait(false);
                _deviceCodeResponse = await context.AcquireDeviceCodeAsync(resource, ConfigurationManager.AppSettings[SampleConstants.ConfigKeys.VaultMgmtAppId]).ConfigureAwait(false);
                Console.WriteLine("############################################################################################");
                Console.WriteLine("To continue with the test run, please follow these instructions: {0}", _deviceCodeResponse.Message);
                Console.WriteLine("############################################################################################");
            }
            //context.AcquireTokenAsync()
            var result = await context.AcquireTokenByDeviceCodeAsync(_deviceCodeResponse).ConfigureAwait(false);
            return result.AccessToken;
        }

 

第五个错误:{"AADSTS7000218: The request body must contain the following parameter: 'client_assertion' or 'client_secret'.\r\nTrace ID: 57169df7-d54d-4533-b6cf-fc269ee93f00\r\nCorrelation ID: 33fb61c4-7266-4690-bb8d-4d4ebb5614f5\r\nTimestamp: 2021-01-19 02:44:50Z"}

这个错误是在 context.AcquireTokenByDeviceCodeAsync时,由于配置的AAD应用中没有开启移动应用或客户端应用的高级设置。详细的分析可以参考博客:https://blogs.aaddevsup.xyz/2019/08/receiving-error-aadsts7000218-the-request-body-must-contain-the-following-parameter-client_assertion-or-client_secret/

 

 

第六个错误:AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. |Trace ID: cbfb3d00-a3e5-445e-96b3-918a94054100 |Correlation ID: 40964a5f-e267-43da-988a-00bf33fa7ad4 |Timestamp: 2021-01-19 03:16:38Z

这个错误发生在 retrievedMsaResponse = await sample.DataClient.GetStorageAccountWithHttpMessagesAsync(vaultUri, managedStorageName).ConfigureAwait(false)的部分,由于通过AcquireTokenByDeviceCodeAsync获取到的token只能完成一次认证。所以再一次调用KeyVaultClient的Get-xxxxx-WithHttpMessageAsync时就会出现OAuth2 Authorization code was already redeemed错误。 解决方法为修改创建 DataClient = new KeyVaultClient(ClientContext.AcquireUserAccessTokenAsync)的认证方式或者是AcquireUserAccessTokenAsync中的获取token方式。

private void InstantiateSample(string tenantId, string appId, string appSecret, string subscriptionId, string resourceGroupName, string vaultLocation, string vaultName, string storageAccountName, string storageAccountResourceId)
        {
            context = ClientContext.Build(tenantId, appId, appSecret, subscriptionId, resourceGroupName, vaultLocation, vaultName, storageAccountName, storageAccountResourceId);
            // log in with as the specified service principal for vault management operations
            var serviceCredentials = Task.Run(() => ClientContext.GetServiceCredentialsAsync(tenantId, appId, appSecret)).ConfigureAwait(true).GetAwaiter().GetResult();
            //var serviceCredentials =ClientContext.GetServiceCredentialsAsync(tenantId, appId, appSecret).Result;
            // instantiate the management client
            ManagementClient = new KeyVaultManagementClient(serviceCredentials);
            ManagementClient.BaseUri = new Uri("https://management.chinacloudapi.cn");
            ManagementClient.SubscriptionId = subscriptionId;
            // instantiate the data client, specifying the user-based access token retrieval callback
            DataClient = new KeyVaultClient(ClientContext.AcquireUserAccessTokenAsync);
       //DataClient = new KeyVaultClient(serviceCredentials); }

或者

public static async Task<string> AcquireUserAccessTokenAsync(string authority, string resource, string scope)
        {
            var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
            if (_deviceCodeResponse == null)
            {
                //_deviceCodeResponse = await context.AcquireDeviceCodeAsync(resource, SampleConstants.WellKnownClientId).ConfigureAwait(false);
                _deviceCodeResponse = await context.AcquireDeviceCodeAsync(resource, ConfigurationManager.AppSettings[SampleConstants.ConfigKeys.VaultMgmtAppId]).ConfigureAwait(false);
                Console.WriteLine("############################################################################################");
                Console.WriteLine("To continue with the test run, please follow these instructions: {0}", _deviceCodeResponse.Message);
                Console.WriteLine("############################################################################################");
            }
            //context.AcquireTokenAsync()
            var result = await context.AcquireTokenByDeviceCodeAsync(_deviceCodeResponse).ConfigureAwait(false);
       return result.AccessToken;
        }

(PS: 以上第六个错误还没有完全解决。)

 

参考资料:

创建 SAS 定义,并通过编写代码提取共享访问签名令牌:https://docs.azure.cn/zh-cn/key-vault/secrets/storage-keys-sas-tokens-code

Azure Sample:https://github.com/Azure-Samples

RECEIVING ERROR AADSTS7000218: THE REQUEST BODY MUST CONTAIN THE FOLLOWING PARAMETER: ‘CLIENT_ASSERTION’ OR ‘CLIENT_SECRET’ :https://blogs.aaddevsup.xyz/2019/08/receiving-error-aadsts7000218-the-request-body-must-contain-the-following-parameter-client_assertion-or-client_secret/

Python代码通过AAD认证访问微软Azure密钥保管库(Azure Key Vault)中机密信息(Secret): https://www.cnblogs.com/lulight/p/14286396.html

相关文章
|
6天前
|
C# 开发者
C# 一分钟浅谈:Code Contracts 与契约编程
【10月更文挑战第26天】本文介绍了 C# 中的 Code Contracts,这是一个强大的工具,用于通过契约编程增强代码的健壮性和可维护性。文章从基本概念入手,详细讲解了前置条件、后置条件和对象不变量的使用方法,并通过具体代码示例进行了说明。同时,文章还探讨了常见的问题和易错点,如忘记启用静态检查、过度依赖契约和性能影响,并提供了相应的解决建议。希望读者能通过本文更好地理解和应用 Code Contracts。
18 3
|
3月前
|
开发框架 .NET C#
【Azure Developer】C# / .NET 静态函数中this关键字的作用
【Azure Developer】C# / .NET 静态函数中this关键字的作用
|
3月前
|
缓存 NoSQL Redis
【Azure Redis 缓存】C#程序是否有对应的方式来优化并缩短由于 Redis 维护造成的不可访问的时间
【Azure Redis 缓存】C#程序是否有对应的方式来优化并缩短由于 Redis 维护造成的不可访问的时间
|
3月前
|
Linux C#
【Azure App Service】C#下制作的网站,所有网页本地测试运行无误,发布至Azure之后,包含CHART(图表)的网页打开报错,错误消息为 Runtime Error: Server Error in '/' Application
【Azure App Service】C#下制作的网站,所有网页本地测试运行无误,发布至Azure之后,包含CHART(图表)的网页打开报错,错误消息为 Runtime Error: Server Error in '/' Application
|
4月前
|
开发框架 .NET C#
【Azure Developer】C# / .NET 静态函数中this关键字的作用
在C#中,`this`关键字用于扩展方法,允许向已有类型添加功能而不修改其源代码。扩展方法必须在静态类中定义,且第一个参数使用`this`修饰,如`public static XElement AcquireElement(this XContainer container, string name, bool addFirst = false)`。这种方式增强了代码的可读性和类型的安全性,尤其在处理第三方库时。
基于C#的ArcEngine二次开发41:投影坐标系与地理坐标系接口、方法及示例代码(三)
基于C#的ArcEngine二次开发41:投影坐标系与地理坐标系接口、方法及示例代码
基于C#的ArcEngine二次开发41:投影坐标系与地理坐标系接口、方法及示例代码(三)
基于C#的ArcEngine二次开发41:投影坐标系与地理坐标系接口、方法及示例代码(二)
基于C#的ArcEngine二次开发41:投影坐标系与地理坐标系接口、方法及示例代码
基于C#的ArcEngine二次开发41:投影坐标系与地理坐标系接口、方法及示例代码(二)
|
数据处理 C#
基于C#的ArcEngine二次开发41:投影坐标系与地理坐标系接口、方法及示例代码(一)
基于C#的ArcEngine二次开发41:投影坐标系与地理坐标系接口、方法及示例代码
基于C#的ArcEngine二次开发41:投影坐标系与地理坐标系接口、方法及示例代码(一)
|
数据处理 C#
基于C#的ArcEngine二次开发39:GP工具的使用--界面、参数及示例代码
基于C#的ArcEngine二次开发39:GP工具的使用--界面、参数及示例代码
基于C#的ArcEngine二次开发39:GP工具的使用--界面、参数及示例代码
|
并行计算 Java C#
C#编程学习14:多线程并行程序设计及示例代码(下)
C#编程学习14:多线程并行程序设计及示例代码
C#编程学习14:多线程并行程序设计及示例代码(下)