azure GraphRbacManagementClient无法使用托管身份

vltsax25 于 2023-08-07 发布在其他

关注(0)|答案(2)|浏览(95)

我在Azure中有一个功能应用程序，需要读取AAD组信息。此函数应用程序已启用系统分配的托管标识，并且MSI对Microsoft Graph具有Directory.ReadAll权限。
我使用以下代码获取AAD组列表：

from azure.graphrbac import GraphRbacManagementClient
    from msrestazure.azure_active_directory import MSIAuthentication
    import logging

    MSI_credential = MSIAuthentication(resource="https://graph.windows.net") 
    graphrbac_client = GraphRbacManagementClient(credentials=MSI_credential, tenant_id='*****')
    groups = graphrbac_client.groups.list()
    for g in groups:
        logging.info(g.display_name)

字符串
这给了我以下错误：

Retrying (Retry(total=3, connect=4, read=3, redirect=None, status=None)) after connection broken by 'ProtocolError('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer')

型
我也试过使用这个 Package 器类https://github.com/jongio/azidext/blob/master/python/azure_identity_credential_adapter.py，但它给出了完全相同的错误。我错过了什么？这是否与防火墙中的“www.example.com”白名单有关https://graph.windows.net？

Azure

来源：https://stackoverflow.com/questions/70193296/graphrbacmanagementclient-not-working-with-managed-identity

2条答案

按热度按时间

z9ju0rcb1#

这是一个防火墙问题。将https://graph.windows.net列入防火墙白名单解决了此问题。此外，为了使用graph.windows.net，与应用程序关联的MSI需要Azure Active Directory graph Directory.ReadAll访问权限。

赞(0）回复(0）举报 2023-08-07

klr1opcd2#

我遇到了类似的问题，并切换到 msal 库，它工作得很好。此代码是从Python Bites video on YouTube中获得的

from msal import ConfidentialClientApplication
  import json
  import requests

  client_id = "e12345b-aaaa-9999-fgh4-zzzz222222"
  client_secret = "ckeejsdfhcvkjsdwedeefkgkdgvhsdkjshdgjh"
  tenant_id = "ffffff9999-aa11-aa11-bb22-gfhdghg27227"
  msal_authority = f"https://login.microsoftonline.com/{tenant_id}"
  msal_scope = ["https://graph.microsoft.com/.default"]

  msal_app = ConfidentialClientApplication(
     client_id= client_id,
     client_credential=client_secret,
     authority=msal_authority
  )

  result = msal_app.acquire_token_silent(scopes = msal_scope,account=None)

  if not result:
       result = msal_app.acquire_token_for_client(scopes=msal_scope)

  if "access_token" in result:
      access_token = result["access_token"]
  else:
      raise Exception("No access token found")

  print(access_token)
  headers = {
     "Authorization": f"Bearer {access_token}",
     "Content-Type": "application/json"
  }
  response  = requests.get(
     url= "https://graph.microsoft.com/v1.0/users", headers=headers,
  )

  print(json.dumps(response.json(), indent=4))

字符串

赞(0）回复(0）举报 2023-08-07

我来回答

azure GraphRbacManagementClient无法使用托管身份

2条答案

相关问题

热门标签

最新问答