Azure WebJob 运行时访问异常

Azure WebJob 运行时访问异常

我在网络作业运行时收到错误:

Microsoft.Azure.WebJobs.Host.FunctionInvocationException:执行函数时出现异常:Functions.Cleanup ---> Microsoft.Rest.Azure.CloudException:对象 ID 为“[Redacted]”的客户端“[Redacted]”无权在范围“/subscriptions/[Redacted]/resourceGroups/[Redacted]/providers/Microsoft.Web/sites/[Redacted]/config/publishingcredentials”上执行操作“Microsoft.Web/sites/config/list/action”。

这是一个LetsEncrypt 证书续订尝试;完整的堆栈报告如下。

我已审阅文件这里这里,但我恐怕还是不知所措。

我找到了Microsoft.Web/sites/config/list/action提供商这里,但它没有被列入可用角色并且没有迹象表明如何授予其访问权限:

/subscriptions/[Redacted]/resourceGroups/[Redacted]/providers/Microsoft.Web/sites/[Redacted]/config/publishingcredentials

在过去的一年里,一切都运行良好,但直到最近一个月左右,它才开始出现故障。我有两个网站正在运行该作业,突然间,两个网站都出现了类似的错误。

这可能与我最近决定将扩展程序的文件从 AppData 移到网站上一级的文件夹中有关,正如所讨论的这里,但由于时间问题,我无法确定。

如何添加必要的权限以使 WebJob 成功运行?

 1   {
 2     "Type": "FunctionCompleted",
 3     "EndTime": "2019-03-21T03:11:53.1829332+00:00",
 4     "Failure": {
 5       "ExceptionType": "Microsoft.Azure.WebJobs.Host.FunctionInvocationException",
 6       "ExceptionDetails": "Microsoft.Azure.WebJobs.Host.FunctionInvocationException: Exception while executing function: Functions.Cleanup ---> Microsoft.Rest.Azure.CloudException: The client '[Redacted]' with object id '[Redacted]' does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/[Redacted]/resourceGroups/[Redacted]/providers/Microsoft.Web/sites/[Redacted]/config/publishingcredentials'.
 7      at Microsoft.Azure.Management.WebSites.WebAppsOperations.<BeginListPublishingCredentialsWithHttpMessagesAsync>d__210.MoveNext()
 8   --- End of stack trace from previous location where exception was thrown ---
 9      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
10      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
11      at Microsoft.Azure.Management.WebSites.WebAppsOperationsExtensions.<BeginListPublishingCredentialsAsync>d__411.MoveNext()
12   --- End of stack trace from previous location where exception was thrown ---
13      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
14      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
15      at Microsoft.Azure.Management.WebSites.WebAppsOperationsExtensions.BeginListPublishingCredentials(IWebAppsOperations operations, String resourceGroupName, String name)
16      at LetsEncrypt.Azure.Core.KuduHelper.GetKuduClient(WebSiteManagementClient client, IAzureWebAppEnvironment settings) in D:\\a\\1\\s\\LetsEncrypt.SiteExtension.Core\\KuduHelper.cs:line 15
17      at LetsEncrypt.Azure.Core.Services.KuduFileSystemAuthorizationChallengeProvider..ctor(IAzureWebAppEnvironment azureEnvironment, IAuthorizationChallengeProviderConfig config) in D:\\a\\1\\s\\LetsEncrypt.SiteExtension.Core\\Services\\KuduFileSystemAuthorizationChallengeProvider.cs:line 22
18      at LetsEncrypt.Azure.Core.CertificateManager..ctor(AppSettingsAuthConfig config) in D:\\a\\1\\s\\LetsEncrypt.SiteExtension.Core\\CertificateManager.cs:line 31
19      at LetsEncrypt.SiteExtension.Functions.Cleanup(TimerInfo timerInfo) in D:\\a\\1\\s\\LetsEncrypt.SiteExtension.WebJob\\Functions.cs:line 73
20      at lambda_method(Closure , Functions , Object[] )
21      at Microsoft.Azure.WebJobs.Host.Executors.VoidMethodInvoker`1.InvokeAsync(TReflected instance, Object[] arguments)
22      at Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`1.<InvokeAsync>d__8.MoveNext()
23   --- End of stack trace from previous location where exception was thrown ---
24      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
25      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
26      at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<InvokeAsync>d__22.MoveNext()
27   --- End of stack trace from previous location where exception was thrown ---
28      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
29      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
30      at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
31      at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<ExecuteWithWatchersAsync>d__21.MoveNext()
32   --- End of stack trace from previous location where exception was thrown ---
33      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
34      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
35      at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<ExecuteWithLoggingAsync>d__19.MoveNext()
36   --- End of stack trace from previous location where exception was thrown ---
37      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
38      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
39      at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
40      at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<ExecuteWithLoggingAsync>d__13.MoveNext()
41      --- End of inner exception stack trace ---
42      at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
43      at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<ExecuteWithLoggingAsync>d__13.MoveNext()
44   --- End of stack trace from previous location where exception was thrown ---
45      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
46      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
47      at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor.<TryExecuteAsync>d__10.MoveNext()"
48     },
49     "ParameterLogs": {},
50     "FunctionInstanceId": "[Redacted]",
51     "Function": {
52       "Id": "LetsEncrypt.SiteExtension.Functions.Cleanup",
53       "FullName": "LetsEncrypt.SiteExtension.Functions.Cleanup",
54       "ShortName": "Functions.Cleanup",
55       "Parameters": [
56         {
57           "Name": "timerInfo",
58           "DisplayHints": {
59             "Description": "Timer executed on schedule (Daily: 1 occurrences)"
60           }
61         }
62       ]
63     },
64     "Arguments": {
65       "timerInfo": "2019-03-21T03:11:49.9071967+00:00"
66     },
67     "Reason": "AutomaticTrigger",
68     "ReasonDetails": "Timer fired at 2019-03-21T03:11:48.8550732+00:00",
69     "StartTime": "2019-03-21T03:11:48.8550732+00:00",
70     "OutputBlob": {
71       "ContainerName": "azure-webjobs-hosts",
72       "BlobName": "output-logs/[Redacted].txt"
73     },
74     "ParameterLogBlob": {
75       "ContainerName": "azure-webjobs-hosts",
76       "BlobName": "output-logs/[Redacted].params.txt"
77     },
78     "HostInstanceId": "[Redacted]",
79     "HostDisplayName": "LetsEncrypt.SiteExtension.WebJob",
80     "SharedQueueName": "azure-webjobs-host-le-[Redacted]",
81     "InstanceQueueName": "azure-webjobs-host-[Redacted]",
82     "Heartbeat": {
83       "SharedContainerName": "azure-webjobs-hosts",
84       "SharedDirectoryName": "heartbeats/le-[Redacted]",
85       "InstanceBlobName": "[Redacted]",
86       "ExpirationInSeconds": 45
87     },
88     "WebJobRunIdentifier": {
89       "WebSiteName": "[Redacted]",
90       "JobType": "Continuous",
91       "JobName": "letsencrypt.siteextension.job",
92       "RunId": ""
93     }
94   }

答案1

事实证明,我没有为 WebJob 分配安全角色(关联)。

分配权限

通过网站转到您的资源组,单击访问控制 (IAM) 并使用检查访问功能。如果您知道服务主体/应用程序的名称,您可以搜索它并查看它分配了什么权限。在我的情况下,它被授予订阅的所有者访问权限,但这超出了要求。资源组上的贡献者访问权限应该足够了。

一旦我这样做了,这项工作就能够成功运行。

相关内容