堆栈内存溢出
  简体   繁体   English

使用托管标识从 Azure 逻辑应用到 Azure Function 进行身份验证

[英]Authenticate from Azure Logic app to Azure Function using Managed Identity

 原文  2019-04-18 04:50:46       azure/ azure-active-directory/ azure-functions/ azure-logic-apps

问题描述

I am trying to configure the security for a Logic App and Azure Function.我正在尝试为逻辑应用程序和 Azure 函数配置安全性。 The Azure Function has an HTTP Trigger. Azure Functions 有一个 HTTP 触发器。 So far I have done the following:到目前为止,我已经完成了以下工作:

  1. Created the Azure Function with some basic functionality (write query in request to log).创建了具有一些基本功能的 Azure Functions(在请求中写入查询到日志)。
  2. Created the Logic App (recurrence trigger, HTTP to trigger the Azure Function)创建了逻辑应用程序(重复触发器,HTTP 来触发 Azure 函数)
  3. Tested that the Logic App successfully calls the Azure Function测试逻辑应用程序成功调用 Azure 函数
  4. Added a managed identity to the Logic App向逻辑应用程序添加了托管标识
  5. Enabled Azure AD Authentication/Authorisation on the Azure Function App and used the express configuration which created the App Registration in Azure AD for the Function App.在 Azure Function App 上启用 Azure AD 身份验证/授权,并使用在 Azure AD 中为 Function App 创建应用程序注册的快速配置。
  6. Added Managed Identity as the Authentication method in the HTTP action within the Logic App.在逻辑应用程序的 HTTP 操作中添加了托管标识作为身份验证方法。

When I run the Logic App it shows that the HTTP action fails because it's unauthorized.当我运行逻辑应用程序时,它显示 HTTP 操作失败,因为它未经授权。 Can anyone tell me what I'm missing?谁能告诉我我错过了什么? I've found a few tutorials on how to access a KeyVault (for example) using a similar approach, but nothing for an Azure Function.我找到了一些关于如何使用类似方法访问 KeyVault(例如)的教程,但没有找到关于 Azure 函数的教程。 I feel like I need to tell the App Registration that the Managed Identity for the Logic App has permissions, but I don't know if this is correct, nor how to do it.我觉得我需要告诉应用程序注册逻辑应用程序的托管标识具有权限,但我不知道这是否正确,也不知道该怎么做。

1 个解决方案

解决方案1
 5 已采纳  2019-04-18 06:35:14

Firstly, to get past the unauthorized error that you're currently getting when Logic App calls your Azure Function, you need to make sure that your Logic App is acquiring the token to authenticate to the Function correctly.首先,要克服当前在逻辑应用程序调用 Azure 函数时遇到的未经授权的错误,您需要确保逻辑应用程序正在获取令牌以正确地对函数进行身份验证。

I quickly tried out a logic app with Managed Identity like your setup to call an Azure Function with Azure AD authentication enabled.我快速尝试了一个带有托管标识的逻辑应用程序,就像您的设置一样,以调用启用了 Azure AD 身份验证的 Azure 函数。 Here are the detailed steps to follow.以下是要遵循的详细步骤。

  1. Add an HTTP Action in your Logic App, that will be used to call your Azure Function在您的逻辑应用程序中添加一个 HTTP 操作,用于调用您的 Azure 函数
  2. In my case it was a simple GET Call with a URL like https://<myfunctionapp>.azurewebsites.net/api/simplefunction在我的例子中,这是一个简单的 GET 调用,其 URL 类似于https://<myfunctionapp>.azurewebsites.net/api/simplefunction
  3. In Authentication select Managed Identity在身份验证中选择Managed Identity

  4. Then add new parameter and select Audience checkbox然后添加新参数并选中Audience复选框

    在此处输入图像描述

  5. Change the value for Audience parameter to APP ID URI for your function app's Azure AD app registration.Audience参数的值更改为函数应用的 Azure AD 应用注册的 APP ID URI。 In my case this value looked like https://<myazureadtenant>.onmicrosoft.com/GUID在我的例子中,这个值看起来像https://<myazureadtenant>.onmicrosoft.com/GUID

    You can find this APP ID URI value from Azure Portal > Azure AD > App Registrations > Registration for your function app > Settings > Properties您可以从 Azure 门户 > Azure AD > 应用注册 > 注册您的函数应用 > 设置 > 属性中找到此应用程序 ID URI 值

    在此处输入图像描述

At this point, you should be able to test your logic app and at least call the Azure Function fine (unless your Azure Function restricts to only certain callers or requires specific permissions, more on that shortly.)此时,你应该能够测试你的逻辑应用程序,并且至少可以正常调用 Azure Functions(除非你的 Azure Functions 仅限于某些调用者或需要特定权限,稍后会详细介绍。)

Here is how the full HTTP action looks in my case.以下是完整的 HTTP 操作在我的案例中的样子。

在此处输入图像描述

Next, once the basic call from Logic App (with Managed Identity) to your Azure Function is getting authenticated properly, question is that should any application be able to call your Azure Function or should only certain callers with specific permissions be allowed.接下来,一旦从逻辑应用程序(使用托管标识)到您的 Azure 函数的基本调用得到正确的身份验证,问题是任何应用程序是否应该能够调用您的 Azure 函数,或者是否应该只允许具有特定权限的某些调用者。

I have answered this part in detail with 2 approaches in this SO Post - Is there a way to secure an Azure Function that will only be called from a specific Azure Logic App?我在这篇 SO 帖子中用 2 种方法详细回答了这部分 - 有没有办法保护只能从特定 Azure 逻辑应用程序调用的 Azure 函数? . . Second approach in that answer is very declarative and you can even create multiple different application roles for different types of callers if needed for your function.该答案中的第二种方法非常明确,如果您的功能需要,您甚至可以为不同类型的调用者创建多个不同的应用程序角色。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用托管身份从Logic App中通过身份验证调用Azure函数 - Calling an Azure Function with authentication from a Logic App using Managed Identities 使用 Azure CLI/Powershell 获取逻辑应用的托管标识 ObjectID - Get Managed Identity ObjectID of Logic App using Azure CLI/Powershell 使用托管标识从逻辑应用调用 Azure AD 保护的 API - Calling an Azure AD Protected API from Logic App using Managed Identity 如何使用托管标识对 Azure Function 应用程序进行身份验证到 Azure Z9778840A0100CB30BC29 Server - How to authenticate an Azure Function app with a managed identity to a Azure SQL Server instance 对部署到 Azure 的应用程序使用 Azure 托管标识? - Using Azure Managed Identity for app deployed to Azure? 使用托管标识在 python 中使用 azure 函数应用程序 - Stuck with azure function app in python using managed identity 使用托管服务标识从Data Factory调用Azure函数 - Call Azure Function from Data Factory using Managed Service Identity 使用托管标识和 REST API 从 VM 调用 Azure 函数 - Calling Azure function from VM using managed identity and REST API Azure 存储帐户使用托管标识和 C# 进行身份验证 - Azure Storage Account authenticate using Managed Identity and C# 如何使用 C# 中的托管标识对 Azure 资源管理器进行身份验证 - How to authenticate with Azure Resource Manager using managed identity in C#
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM