我想要将本地 VM 连接到 Azure KeyVault。我已成功安装 Azure Arc Agent,并且可以在 Azure 中的 ARC Machines 下看到 VM。
但是,当我按照here请求API令牌时,我收到以下错误..
PS C:\Users\tasks> Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'} -UseBasicParsing
Invoke-WebRequest :
Runtime Error
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:pointer; }
@media screen and (max-width: 639px) {
pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }
}
@media screen and (max-width: 479px) {
pre { width: 280px; }
}
Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could,
however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the
current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".
我认为该错误与 IDENTITY_ENDPOINT 或 URL 有关。
关于如何从 ARC 连接的虚拟机请求令牌有什么建议吗?
感谢高级。
肖恩
这是来自上述网站的代码..
$apiVersion = "2020-06-01"
$resource = "https://management.azure.com/"
$endpoint = "{0}?resource={1}&api-version={2}" -f $env:IDENTITY_ENDPOINT,$resource,$apiVersion
$secretFile = ""
try
{
Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'} -UseBasicParsing
}
catch
{
$wwwAuthHeader = $_.Exception.Response.Headers["WWW-Authenticate"]
if ($wwwAuthHeader -match "Basic realm=.+")
{
$secretFile = ($wwwAuthHeader -split "Basic realm=")[1]
}
}
Write-Host "Secret file path: " $secretFile`n
$secret = cat -Raw $secretFile
$response = Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'; Authorization="Basic $secret"} -UseBasicParsing
if ($response)
{
$token = (ConvertFrom-Json -InputObject $response.Content).access_token
Write-Host "Access token: " $token
}
[源自对问题的评论]
要获取启用 Azure Arc 的服务器(物理或虚拟)的令牌,您需要在服务器上启用托管身份。
启用 Arc 的服务器不会显示在门户的虚拟机资源类别中。您将能够在以下位置看到服务器列表:
Portal -> Azure Arc -> Servers应用设置后,几分钟后,身份将被发送到服务器上运行的 Arc 代理,并且将相应地设置必要的环境变量。然后,您可以使用该脚本获取访问令牌以对其他 Azure 资源进行授权。