托管标识是否可用于 API 管理服务和 Azure 函数之间的通信?
[英]Is managed identity available for communication between API Management service and Azure functions?
问题描述
I have an Azure API Management service communicating with Azure functions runtime v1.
我有一个与 Azure 函数运行时 v1 通信的 Azure API 管理服务。 Currently when i deploy a new version of the Function App (using CI/CD pipeline in Azure Devops, and using built-in microsoft tasks), the function keys (including master key) change.目前,当我部署新版本的 Function App(使用 Azure Devops 中的 CI/CD 管道,并使用内置的微软任务)时,功能键(包括主键)会发生变化。 Consequently, the key that the API Management's api is injecting in the requests to the function is not longer valid, and i get a 401 - Unauthorized.因此,API 管理的 api 在函数请求中注入的密钥不再有效,我得到 401 - 未经授权。 So, i have at the moment a task in the pipeline to update these keys anytime i deploy the Function App.所以,我现在有一项任务在管道中,可以在我部署 Function App 时随时更新这些密钥。 The API Management provides a feature to enable Managed Identity, but when i try to create a role assignment in the Function App to the API Management, under the System assigned managed identity, i don't have the option for API Management service. API 管理提供了启用托管标识的功能,但是当我尝试在功能应用程序中为 API 管理创建角色分配时,在系统分配的托管标识下,我没有 API 管理服务的选项。 So i presume it is not possible to setup this role assignment between the two services, right?所以我认为不可能在两个服务之间设置这个角色分配,对吗? If not, then is there any suggestion for a workaround to avoid manage keys for the communication between API Management service and Azure Functions?如果没有,那么是否有任何建议可以避免管理 API 管理服务和 Azure Functions 之间通信的密钥?
Thanks谢谢
1 个解决方案
解决方案1
1 已采纳 2019-04-26 10:39:47
UPDATE更新
Managed Identity can now be used by leveraging the authentication-managed-identity policy .现在可以通过利用authentication-managed-identity策略来使用authentication-managed-identity 。
Yes.是的。 Managed Identity cannot be used here.此处不能使用托管标识。
One alternative would be to protect your function app with an IP restriction using the APIM Instances IP which guaranteed to be static as long as it isn't recreated and setting the function to be an anonymous function.一种替代方法是使用 APIM 实例 IP 来保护具有IP 限制的函数应用程序,只要不重新创建它就保证是静态的,并将函数设置为匿名函数。
Note that you might have problems accessing the function from the portal too for which you would have to allow the public IP of the computer you are using to access if required.请注意,您也可能在从门户访问该功能时遇到问题,如果需要,您必须允许您使用的计算机的公共 IP 访问该功能。
Another option would be to另一种选择是
- Setup authentication for your function app为函数应用设置身份验证
- Have APIM get an access token with the Client Credentials Flow using the
send-requestpolicy让 APIM 使用send-request策略通过客户端凭据流获取访问令牌 - Set this access token in the header to call the anonymous function在标头中设置此访问令牌以调用匿名函数
You could probably try caching this access token using the cache policies .您可以尝试使用缓存策略缓存此访问令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.