0

我正在尝试使用以下链接中提供的 MSI 示例:

https://docs.microsoft.com/en-us/python/azure/python-sdk-azure-authenticate?view=azure-python#mgmt-auth-msi

为此,我创建了一个 linux VM,在其上安装了 MSI 扩展并在 python 应用程序中运行上述代码,当我运行该 python 应用程序时,我收到以下错误:

[azureuser@vish-redhat ~]$ python msi-auth.py 
No handlers could be found for logger "msrestazure.azure_active_directory"
Traceback (most recent call last):
  File "msi-auth.py", line 10, in <module>
    subscription = next(subscription_client.subscriptions.list())
  File "/usr/lib/python2.7/site-packages/msrest/paging.py", line 121, in __next__
    self.advance_page()
  File "/usr/lib/python2.7/site-packages/msrest/paging.py", line 107, in advance_page
    self._response = self._get_next(self.next_link)
  File "/usr/lib/python2.7/site-packages/azure/mgmt/resource/subscriptions/v2016_06_01/operations/subscriptions_operations.py", line 207, in internal_paging
    request, header_parameters, **operation_config)
  File "/usr/lib/python2.7/site-packages/msrest/service_client.py", line 191, in send
    session = self.creds.signed_session()
  File "/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py", line 685, in signed_session
    self.set_token()
  File "/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py", line 681, in set_token
    self.scheme, _, self.token = get_msi_token(self.resource, self.port, self.msi_conf)
  File "/usr/lib/python2.7/site-packages/msrestazure/azure_active_directory.py", line 590, in get_msi_token
    result = requests.post(request_uri, data=payload, headers={'Metadata': 'true'})
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 108, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 415, in send
    raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', error(111, 'Connection refused'))
[azureuser@vish-redhat ~]$

代码:

from msrestazure.azure_active_directory import MSIAuthentication
from azure.mgmt.resource import ResourceManagementClient, SubscriptionClient

# Create MSI Authentication
credentials = MSIAuthentication()


# Create a Subscription Client
subscription_client = SubscriptionClient(credentials)
subscription = next(subscription_client.subscriptions.list())
subscription_id = subscription.subscription_id

# Create a Resource Management client
resource_client = ResourceManagementClient(credentials, subscription_id)


# List resource groups as an example. The only limit is what role and policy are assigned to this MSI token.
for resource_group in resource_client.resource_groups.list():
    print(resource_group.name)
4

2 回答 2

1

连接错误通常是因为扩展程序尚不可用。您可以使用 CLI 尝试扩展是否可用az login --msi

https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/how-to-use-vm-sign-in

如果它有效,则您的 VM 已在 MSI 支持下正确创建。它没有,可能您的扩展配置不正确。

请注意,我们更改了从 VM 内部获取带有 MSI 的令牌的方式。我们现在使用 IMDS: https ://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service

从 CLI 的下一个版本(2018 年 4 月的第一个版本)开始,CLI 将直接通过 IMDS 进行身份验证,不再使用 VM 扩展。这已经msrestazure在其 0.4.25 版本的底层库中提供。这将完全绕过您的 VM 扩展来使用 IMDS,并且现在是首选方案。可以试试这个版本msrestazure吗?如果它适用于 0.4.25 但不适用于 0.4.24,这可能意味着您的 VM 扩展未正确安装,但您不在乎,因为这是一个已弃用的方案 :)

请注意,为了获取令牌,您的 VM 不需要任何特殊权限或订阅所有权。但是,要使此令牌有用,您需要它:)。但是由于您的错误与“获取令牌”部分有关,而不是与权限有关,因此我建议您以后如果遇到权限问题可能需要此补充信息:

https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/howto-assign-access-cli

(完全披露,我在 SDK/CLI 团队的 MS 工作并编写了 MSI 支持)

于 2018-04-02T18:09:28.233 回答
1

您需要在 Linux VM 中安装 Python SDK。请参考这个官方文档

pip install azure

此外,您需要在订阅级别为您的 VM 提供所有者角色。

在此处输入图像描述

有关此的更多信息,请参阅此链接

现在,您可以使用此代码在 VM 上进行测试。我在我的实验室测试,它对我有用。

在此处输入图像描述

注意:您需要修改resource_client = ResourceManagementClient(credentials, subscription_id)resource_client = ResourceManagementClient(credentials, str(subscription_id)),它需要一个字符串类型。

于 2018-04-02T02:40:31.913 回答