[英]Authenticate from Azure Logic app to Azure Function using Managed Identity
I am trying to configure the security for a Logic App and Azure Function.我正在尝试为逻辑应用程序和 Azure 函数配置安全性。 The Azure Function has an HTTP Trigger. Azure Functions 有一个 HTTP 触发器。 So far I have done the following:到目前为止,我已经完成了以下工作:
When I run the Logic App it shows that the HTTP action fails because it's unauthorized.当我运行逻辑应用程序时,它显示 HTTP 操作失败,因为它未经授权。 Can anyone tell me what I'm missing?谁能告诉我我错过了什么? I've found a few tutorials on how to access a KeyVault (for example) using a similar approach, but nothing for an Azure Function.我找到了一些关于如何使用类似方法访问 KeyVault(例如)的教程,但没有找到关于 Azure 函数的教程。 I feel like I need to tell the App Registration that the Managed Identity for the Logic App has permissions, but I don't know if this is correct, nor how to do it.我觉得我需要告诉应用程序注册逻辑应用程序的托管标识具有权限,但我不知道这是否正确,也不知道该怎么做。
Firstly, to get past the unauthorized error that you're currently getting when Logic App calls your Azure Function, you need to make sure that your Logic App is acquiring the token to authenticate to the Function correctly.首先,要克服当前在逻辑应用程序调用 Azure 函数时遇到的未经授权的错误,您需要确保逻辑应用程序正在获取令牌以正确地对函数进行身份验证。
I quickly tried out a logic app with Managed Identity like your setup to call an Azure Function with Azure AD authentication enabled.我快速尝试了一个带有托管标识的逻辑应用程序,就像您的设置一样,以调用启用了 Azure AD 身份验证的 Azure 函数。 Here are the detailed steps to follow.以下是要遵循的详细步骤。
https://<myfunctionapp>.azurewebsites.net/api/simplefunction
在我的例子中,这是一个简单的 GET 调用,其 URL 类似于https://<myfunctionapp>.azurewebsites.net/api/simplefunction
Managed Identity
在身份验证中选择Managed Identity
Then add new parameter and select Audience
checkbox然后添加新参数并选中Audience
复选框
Change the value for Audience
parameter to APP ID URI for your function app's Azure AD app registration.将Audience
参数的值更改为函数应用的 Azure AD 应用注册的 APP ID URI。 In my case this value looked like https://<myazureadtenant>.onmicrosoft.com/GUID
在我的例子中,这个值看起来像https://<myazureadtenant>.onmicrosoft.com/GUID
You can find this APP ID URI value from Azure Portal > Azure AD > App Registrations > Registration for your function app > Settings > Properties您可以从 Azure 门户 > Azure AD > 应用注册 > 注册您的函数应用 > 设置 > 属性中找到此应用程序 ID URI 值
At this point, you should be able to test your logic app and at least call the Azure Function fine (unless your Azure Function restricts to only certain callers or requires specific permissions, more on that shortly.)此时,你应该能够测试你的逻辑应用程序,并且至少可以正常调用 Azure Functions(除非你的 Azure Functions 仅限于某些调用者或需要特定权限,稍后会详细介绍。)
Here is how the full HTTP action looks in my case.以下是完整的 HTTP 操作在我的案例中的样子。
Next, once the basic call from Logic App (with Managed Identity) to your Azure Function is getting authenticated properly, question is that should any application be able to call your Azure Function or should only certain callers with specific permissions be allowed.接下来,一旦从逻辑应用程序(使用托管标识)到您的 Azure 函数的基本调用得到正确的身份验证,问题是任何应用程序是否应该能够调用您的 Azure 函数,或者是否应该只允许具有特定权限的某些调用者。
I have answered this part in detail with 2 approaches in this SO Post - Is there a way to secure an Azure Function that will only be called from a specific Azure Logic App?我在这篇 SO 帖子中用 2 种方法详细回答了这部分 - 有没有办法保护只能从特定 Azure 逻辑应用程序调用的 Azure 函数? . . Second approach in that answer is very declarative and you can even create multiple different application roles for different types of callers if needed for your function.该答案中的第二种方法非常明确,如果您的功能需要,您甚至可以为不同类型的调用者创建多个不同的应用程序角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.