我在网络作业运行时收到错误:
Microsoft.Azure.WebJobs.Host.FunctionInvocationException:执行函数时出现异常:Functions.Cleanup ---> Microsoft.Rest.Azure.CloudException:对象 ID 为“[Redacted]”的客户端“[Redacted]”无权在范围“/subscriptions/[Redacted]/resourceGroups/[Redacted]/providers/Microsoft.Web/sites/[Redacted]/config/publishingcredentials”上执行操作“Microsoft.Web/sites/config/list/action”。
这是一个LetsEncrypt 证书续订尝试;完整的堆栈报告如下。
我找到了Microsoft.Web/sites/config/list/action
提供商这里,但它没有被列入可用角色并且没有迹象表明如何授予其访问权限:
/subscriptions/[Redacted]/resourceGroups/[Redacted]/providers/Microsoft.Web/sites/[Redacted]/config/publishingcredentials
在过去的一年里,一切都运行良好,但直到最近一个月左右,它才开始出现故障。我有两个网站正在运行该作业,突然间,两个网站都出现了类似的错误。
这可能与我最近决定将扩展程序的文件从 AppData 移到网站上一级的文件夹中有关,正如所讨论的这里,但由于时间问题,我无法确定。
如何添加必要的权限以使 WebJob 成功运行?
1 {
2 "Type": "FunctionCompleted",
3 "EndTime": "2019-03-21T03:11:53.1829332+00:00",
4 "Failure": {
5 "ExceptionType": "Microsoft.Azure.WebJobs.Host.FunctionInvocationException",
6 "ExceptionDetails": "Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: Functions.Cleanup ---> Microsoft.Rest.Azure.CloudException: The client '[Redacted]' with object id '[Redacted]' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/[Redacted]/resourceGroups/[Redacted]/providers/Microsoft.Web/sites/[Redacted]/config/publishingcredentials'.
7 at Microsoft.Azure.Management.WebSites.WebAppsOperations.<BeginListPublishingCredentialsWithHttpMessagesAsync>d__210.MoveNext()
8 --- End of stack trace from previous location where exception was thrown ---
9 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
10 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
11 at Microsoft.Azure.Management.WebSites.WebAppsOperationsExtensions.<BeginListPublishingCredentialsAsync>d__411.MoveNext()
12 --- End of stack trace from previous location where exception was thrown ---
13 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
14 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
15 at Microsoft.Azure.Management.WebSites.WebAppsOperationsExtensions.BeginListPublishingCredentials(IWebAppsOperations operations, String resourceGroupName, String name)
16 at LetsEncrypt.Azure.Core.KuduHelper.GetKuduClient(WebSiteManagementClient client, IAzureWebAppEnvironment settings) in D:\\a\\1\\s\\LetsEncrypt.SiteExtension.Core\\KuduHelper.cs:line 15
17 at LetsEncrypt.Azure.Core.Services.KuduFileSystemAuthorizationChallengeProvider..ctor(IAzureWebAppEnvironment azureEnvironment, IAuthorizationChallengeProviderConfig config) in D:\\a\\1\\s\\LetsEncrypt.SiteExtension.Core\\Services\\KuduFileSystemAuthorizationChallengeProvider.cs:line 22
18 at LetsEncrypt.Azure.Core.CertificateManager..ctor(AppSettingsAuthConfig config) in D:\\a\\1\\s\\LetsEncrypt.SiteExtension.Core\\CertificateManager.cs:line 31
19 at LetsEncrypt.SiteExtension.Functions.Cleanup(TimerInfo timerInfo) in D:\\a\\1\\s\\LetsEncrypt.SiteExtension.WebJob\\Functions.cs:line 73
20 at lambda_method(Closure , Functions , Object[] )
21 at Microsoft.Azure.WebJobs.Host.Executors.VoidMethodInvoker`1.InvokeAsync(TReflected instance, Object[] arguments)
22 at Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`1.<InvokeAsync>d__8.MoveNext()
23 --- End of stack trace from previous location where exception was thrown ---
24 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
25 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
26 at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<InvokeAsync>d__22.MoveNext()
27 --- End of stack trace from previous location where exception was thrown ---
28 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
29 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
30 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
31 at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<ExecuteWithWatchersAsync>d__21.MoveNext()
32 --- End of stack trace from previous location where exception was thrown ---
33 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
34 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
35 at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<ExecuteWithLoggingAsync>d__19.MoveNext()
36 --- End of stack trace from previous location where exception was thrown ---
37 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
38 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
39 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
40 at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<ExecuteWithLoggingAsync>d__13.MoveNext()
41 --- End of inner exception stack trace ---
42 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
43 at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<ExecuteWithLoggingAsync>d__13.MoveNext()
44 --- End of stack trace from previous location where exception was thrown ---
45 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
46 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
47 at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<TryExecuteAsync>d__10.MoveNext()"
48 },
49 "ParameterLogs": {},
50 "FunctionInstanceId": "[Redacted]",
51 "Function": {
52 "Id": "LetsEncrypt.SiteExtension.Functions.Cleanup",
53 "FullName": "LetsEncrypt.SiteExtension.Functions.Cleanup",
54 "ShortName": "Functions.Cleanup",
55 "Parameters": [
56 {
57 "Name": "timerInfo",
58 "DisplayHints": {
59 "Description": "Timer executed on schedule (Daily: 1 occurrences)"
60 }
61 }
62 ]
63 },
64 "Arguments": {
65 "timerInfo": "2019-03-21T03:11:49.9071967+00:00"
66 },
67 "Reason": "AutomaticTrigger",
68 "ReasonDetails": "Timer fired at 2019-03-21T03:11:48.8550732+00:00",
69 "StartTime": "2019-03-21T03:11:48.8550732+00:00",
70 "OutputBlob": {
71 "ContainerName": "azure-webjobs-hosts",
72 "BlobName": "output-logs/[Redacted].txt"
73 },
74 "ParameterLogBlob": {
75 "ContainerName": "azure-webjobs-hosts",
76 "BlobName": "output-logs/[Redacted].params.txt"
77 },
78 "HostInstanceId": "[Redacted]",
79 "HostDisplayName": "LetsEncrypt.SiteExtension.WebJob",
80 "SharedQueueName": "azure-webjobs-host-le-[Redacted]",
81 "InstanceQueueName": "azure-webjobs-host-[Redacted]",
82 "Heartbeat": {
83 "SharedContainerName": "azure-webjobs-hosts",
84 "SharedDirectoryName": "heartbeats/le-[Redacted]",
85 "InstanceBlobName": "[Redacted]",
86 "ExpirationInSeconds": 45
87 },
88 "WebJobRunIdentifier": {
89 "WebSiteName": "[Redacted]",
90 "JobType": "Continuous",
91 "JobName": "letsencrypt.siteextension.job",
92 "RunId": ""
93 }
94 }
答案1
事实证明,我没有为 WebJob 分配安全角色(关联)。
通过网站转到您的资源组,单击访问控制 (IAM) 并使用检查访问功能。如果您知道服务主体/应用程序的名称,您可以搜索它并查看它分配了什么权限。在我的情况下,它被授予订阅的所有者访问权限,但这超出了要求。资源组上的贡献者访问权限应该足够了。
一旦我这样做了,这项工作就能够成功运行。