问题
I managed to get the below code to work (complete code here) to use Azure managed identity to authenticate (via Visual Studio) and have access to Azure storage account without using credentials.
const string storageResource = "https://storage.azure.com/";
var authResult = await azureServiceTokenProvider.GetAuthenticationResultAsync(storageResource, cancellationToken: cancellationToken);
The code managed to find my user logged in to Visual Studio and uses it to get the token and all goes well.
However, this code is executed as part of a library integration tests in an Azure DevOps build pipeline.
I found the service principal created when I created the service connection to Azure in Azure DevOps and gave it the same Storage Blob Data Contributor role hoping that Azure DevOps would use it to run the code but had no success.
So my question is:
How do I get code that runs in Azure DevOps build pipeline to be able to authenticate using the AzureServiceTokenProvider?
BTW, the error message:
Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException : Parameters: Connection String: [No connection string specified], Resource: https://storage.azure.com/, Authority: . Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connection String: [No connection string specified], Resource: https://storage.azure.com/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Failed after 5 retries. MSI ResponseCode: BadRequest, Response: {"error":"invalid_request","error_description":"Identity not found"} Parameters: Connection String: [No connection string specified], Resource: https://storage.azure.com/, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "C:\Users\VssAdministrator\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json" Parameters: Connection String: [No connection string specified], Resource: https://storage.azure.com/, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. ERROR: Please run 'az login' to setup account.
TearDown : System.NullReferenceException : Object reference not set to an instance of an object.
回答1:
Since, this question hasn't been answered so far, you can try this: Try passing the connection information expicitly to the azureServiceTokenProvider. Now, the followig codeblock assumes that you're using a shared secret credential to sign into Azure AD but can be extended to any methods described here - Service-to-service authentication to Azure Key Vault using .NET
var azureServicesAuthString = $"RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={ClientSecret}";
tokenProvider = new AzureServiceTokenProvider(connectionString: azureServicesAuthString);
var authResult = await azureServiceTokenProvider.GetAuthenticationResultAsync(storageResource, cancellationToken: cancellationToken);
回答2:
You will need to create a service connection of type "Managed identity authentication" to use managed identity in DevOps pipeline.
来源:https://stackoverflow.com/questions/56861259/use-managed-identities-in-azure-devops-build-pipeline