[英]Authorization for Azure Function using Managed Service Identity to fetch blob from Azure Storage container
When I attempt to invoke an Azure Function in an Azure Function App using a system assigned managed identity to fetch a blob from an Azure Storage container, I'm encountering: 当我尝试使用系统分配的托管身份在Azure Function应用程序中调用Azure Function从Azure存储容器中获取Blob时,遇到了:
System.Private.CoreLib: Exception while executing function:<FunctionName>. Microsoft.WindowsAzure.Storage: Unauthorized.
I'm adapting the approach outlined here . 我正在调整此处概述的方法。
Here's the code: 这是代码:
[FunctionName("TestFetchTileViaSvcPrinId")]
public static async Task<HttpResponseMessage> RunAsync(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
ILogger log) {
log.LogInformation("C# HTTP trigger function processed a request.");
const string blobName = "https://<storageaccount>.blob.core.windows.net/...path.../<file>.jpg";
// Get the initial access token and the interval at which to refresh it.
var azureServiceTokenProvider = new AzureServiceTokenProvider();
NewTokenAndFrequency tokenAndFrequency = TokenRenewerAsync(azureServiceTokenProvider, CancellationToken.None).GetAwaiter().GetResult();
// Create storage credentials using the initial token, and connect the callback function to renew the token just before it expires
var tokenCredential = new TokenCredential(tokenAndFrequency.Token, TokenRenewerAsync, azureServiceTokenProvider, tokenAndFrequency.Frequency.Value);
var storageCredentials = new StorageCredentials(tokenCredential);
var cloudBlockBlob = new CloudBlockBlob(new Uri(blobName), storageCredentials);
using (var memoryStream = new MemoryStream()) {
await cloudBlockBlob.DownloadToStreamAsync(memoryStream); // Unauthorized exception is thrown here
var httpResponseMessage = new HttpResponseMessage(HttpStatusCode.OK) {
Content = new ByteArrayContent(memoryStream.ToArray())
};
httpResponseMessage.Headers.Add("Cache-Control", "max-age=31536000"); //31536000 seconds ~ 1 year
httpResponseMessage.Content.Headers.ContentType = new MediaTypeHeaderValue("image/jpeg");
return httpResponseMessage;
}
}
The Azure Function App has a system assigned managed identity which has Storage Blob Data Contributor role for the target blob's entire storage account. Azure功能应用程序具有系统分配的托管身份,该身份具有目标Blob的整个存储帐户的Storage Blob数据贡献者角色。
I got this working. 我工作了。 As Rohit noticed, the redacted full-path to the blob (as originally posted) incorrectly specified the Azure function path rather than the storage account path.
正如Rohit所注意到的那样,已删除的Blob完整路径(如最初发布的那样)错误地指定了Azure函数路径而不是存储帐户路径。 I've subsequently fixed up the question.
我后来解决了这个问题。 Nevertheless, I did have a typo in the path as implemented.
不过,在实施过程中我确实有错别字。 Correcting the path resolved the issue.
更正路径可以解决此问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.