问题描述
使用Azure密钥保管库(Key Vault)来托管存储账号(Storage Account)密钥的示例中,从Github中下载的示例代码在中国区Azure运行时候会遇见各种认证和授权问题,以下列举出运行代码中遇见的各种异常:
"AADSTS90002: Tenant ‘xxxxxxxx-66d7-xxxx-8f9f-xxxxxxxxxxxx’ not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.
Microsoft.Rest.Azure.CloudException | HResult=0x80131500 | Message=The subscription ‘xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx’ could not be found. | Source=Microsoft.Azure.Management.KeyVault
The client ‘xxxxxxxx-e256-xxxx-8ef8-xxxxxxxxxxxx’ with object id ‘xxxxxxxx-e256-xxxx-xxxxxxxxxxxx’ does not have authorization to perform action ‘Microsoft.KeyVault/vaults/read’ over scope ‘/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/dev-service-rg/providers/Microsoft.KeyVault/vaults/’ or the scope is invalid. If access was recently granted, please refresh your credentials.
Unexpected exception encountered: AADSTS700016: Application with identifier ‘54d5b1e9-5f5c-48f1-8483-d72471cbe7e7’ was not found in the directory ‘xxxxxxxx-66d7-xxxx-8f9f-xxxxxxxxxxxx’. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
{“AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.\r\nTrace ID: 57169df7-d54d-4533-b6cf-fc269ee93f00\r\nCorrelation ID: 33fb61c4-7266-4690-bb8d-4d4ebb5614f5\r\nTimestamp: 2021-01-19 02:44:50Z”}
AADSTS54005: OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. |Trace ID: cbfb3d00-a3e5-445e-96b3-918a94054100 |Correlation ID: 40964a5f-e267-43da-988a-00bf33fa7ad4 |Timestamp: 2021-01-19 03:16:38Z
以上错误就是在调试Key vault dotnet managed storage代码的过程(https://github.com/Azure-Samples/key-vault-dotnet-managed-storage)中遇见的错误。下面我们一一的解决以上错误并使得程序成功运行:
调试代码
首先通过Github下载代码并在Azure环境中准备好AAD,Key Vault,Storage Account。
git clone https://github.com/Azure-Samples/key-vault-dotnet-managed-storage.git
用VS 2019打开后,编辑app.config文件, 配置tenant, subscription, AD app id and secret, and storage account and its resource id等值
PS: 获取AAD中注册应用的相应配置值,可以参考博文:
【Azure Developer】使用Postman获取Azure AD中注册应用程序的授权Token,及为Azure REST API设置Authorization 【Azure Developer】Python代码通过AAD认证访问微软Azure密钥保管库(Azure Key Vault)中机密信息(Secret)
第一个错误:"AADSTS90002: Te