0

工作 场景:Spring Boot Application + Azure VM + Azure SDK Java + System Assigned Managed Identity + Azure Key Vault 描述:Spring boot 应用程序能够通过 System Assigned Managed Identity 从 KeyVault 检索机密,应用程序在 Azure VM 上运行

[2021-11-16T06:47:44.044Z] [java.util.logging.LoggingProxyImpl] [reactor-http-nio-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@67d5e1816 pairs: {GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net HTTP/1.1: null}{Metadata: true}{User-Agent: Java/1.8.0_251}{Host: *.*.*.*}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
[2021-11-16T06:47:44.044Z] [java.util.logging.LoggingProxyImpl] [reactor-http-nio-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@5b2f224a5 pairs: {null: HTTP/1.1 200 OK}{Content-Type: application/json; charset=utf-8}{Server: IMDS/*.*.*.*}{Date: Tue, 16 Nov 2021 06:47:44 GMT}{Content-Length: 1683}
[2021-11-16T06:47:45.045Z] [com.azure.core.util.logging.ClientLogger] [reactor-http-nio-2] [111] [INFO ] [] [] Azure Identity => Managed Identity environment: AZURE VM IMDS ENDPOINT

工作 场景:Spring Boot 应用程序 + Azure AKS + Azure SDK Java + 用户分配的托管标识 + Azure Key Vault 描述:Spring Boot 应用程序能够通过用户分配的托管标识从 KeyVault 检索机密,应用程序在 Azure Kubernetes 服务上运行

[2021-11-16T08:16:32.032Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-3] [61] [DEBUG] [] [] sun.net.www.MessageHeader@37263346 pairs: {GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net&client_id=********************** HTTP/1.1: null}{Metadata: true}{User-Agent: Java/1.8.0_111}{Host: *.*.*.*}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
[2021-11-16T08:16:32.032Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-3] [61] [DEBUG] [] [] sun.net.www.MessageHeader@377d9d9f5 pairs: {null: HTTP/1.1 200 OK}{Content-Type: application/json; charset=utf-8}{Server: IMDS/*.*.*.*}{Date: Tue, 16 Nov 2021 08:16:32 GMT}{Content-Length: 1805}
[2021-11-16T08:16:32.032Z] [com.azure.core.util.logging.ClientLogger] [reactor-http-epoll-3] [111] [INFO ] [] [] Azure Identity => Managed Identity environment: AZURE VM IMDS ENDPOINT

问题 场景:Spring Boot 应用程序 + Azure AKS+ Azure SDK Java + 系统分配的托管标识 + Azure Key Vault 描述:Spring Boot 应用程序无法通过系统分配的托管标识从 KeyVault 检索机密,应用程序正在 Azure Kubernetes 服务上运行日志:

[2021-11-16T07:49:39.039Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@3d038e526 pairs: {GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net HTTP/1.1: null}{Metadata: true}{User-Agent: Java/1.8.0_111}{Host: *.*.*.*}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
[2021-11-16T07:49:39.039Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@4c08a14b5 pairs: {null: HTTP/1.1 400 Bad Request}{Content-Type: application/json; charset=utf-8}{Server: IMDS/*.*.*.*}{Date: Tue, 16 Nov 2021 07:49:39 GMT}{Content-Length: 168}
[2021-11-16T07:49:39.039Z] [com.azure.core.util.logging.ClientLogger] [reactor-http-epoll-2] [350] [ERROR] [] [] ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established.

我参考了下面的链接并确认AKS已启用托管标识 https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#obtain-and-use-the-system-assigned-managed-身份为您的 aks 集群

我们正在使用Harbor来拉取 docker 镜像。

如何解决问题?如何检查我的节点是否启用了托管身份?

代码片段

SecretClient client = new SecretClientBuilder().vaultUrl(vaultUrl)
                .credential(new ManagedIdentityCredentialBuilder().build())
                .buildClient();
KeyVaultSecret secretKey = client.getSecret(secretName);
4

1 回答 1

0

我将我的答案放在任何可能对其他人有用的情况下。

根据为Azure 提供的答案 - 使用托管标识对 KeyVault 和其他资源进行 AKS 身份验证,我在 VMSS 上启用了系统托管标识,提供了必要的 RBAC 角色(选择分配访问作为托管标识)和对该 VMSS 的访问策略。现在,系统托管身份适用于我运行其中一个 pod 的应用程序。

于 2021-12-02T12:20:43.233 回答