[英]How can I allow a service account to access my REST API when using Roles-based Authorization in Azure?
Summary: I have a REST API that I use for functional testing. 简介:我有一个用于功能测试的REST API。 I only allow people or groups in a specific "Tester" role to hit the API. 我只允许具有特定“测试人员”角色的人员或小组访问API。 I want to trigger this functional testing during an Azure DevOps Release Pipeline automatically, but I can't figure out how to authorize the machine account to hit the API. 我想在Azure DevOps发布管道中自动触发此功能测试,但是我不知道如何授权计算机帐户访问API。
Details: 细节:
I have this API secured with [Authorize(Roles = "Tester")] 我已使用[Authorize(Roles =“ Tester”)]保护了此API
[Route("quotas/developers")]
[HttpGet]
[Authorize(Roles = "Tester")]
[SwaggerResponse(HttpStatusCode.OK, "Successful operation", Type = typeof(DeveloperQuota[]))]
public async Task<List<DeveloperQuota>> GetDeveloperQuota([FromUri]string developerUpn)
To set this up, I have an Enterprise Application registered in Azure Active Directory. 要进行设置,我在Azure Active Directory中注册了一个企业应用程序。 In the manifest, I declare the role. 在清单中,我声明了角色。
And then in the Enterprise Application I add some users and groups which are assigned the role "Tester." 然后,在企业应用程序中,添加一些用户和组,这些用户和组被分配了角色“ Tester”。
This works fine for running my functional tests by hand. 这对于手动运行我的功能测试很好。 I run the tests, it pops up an oauth dialog for me to enter my credentials, it grabs my Bearer token from the successful auth request then passes it along to the APIs. 我运行测试,它会弹出一个oauth对话框供我输入凭据,它从成功的auth请求中获取我的Bearer令牌,然后将其传递给API。
private string GetActiveDirectoryToken()
{
string authority = this.configuration.ActiveDirectoryAuthority;
string resource = this.configuration.ActiveDirectoryAudience;
string keyVaultUri = this.configuration.KeyVaultUri;
IKeyVaultAdapterFactory keyVaultAdapterFactory = new KeyVaultAdapterFactory();
var keyVaultAdapter = keyVaultAdapterFactory.CreateInstance(KeyVaultServicePrincipal.PowerShellAppId);
SecureString clientIdSecure = keyVaultAdapter.GetAzureKeyVaultSecretSecure(keyVaultUri, "GasCallbackRegistrationClientID", null).Result;
SecureString redirectUriSecure = keyVaultAdapter.GetAzureKeyVaultSecretSecure(keyVaultUri, "GasCallbackRegistrationClientIDRedirectUri", null).Result;
var authContext = new AuthenticationContext(authority);
var result = authContext.AcquireTokenAsync(
resource,
SecureStringUtilities.DecryptSecureString(clientIdSecure),
new Uri(SecureStringUtilities.DecryptSecureString(redirectUriSecure)),
new PlatformParameters(PromptBehavior.Auto)).Result;
return result.AccessToken;
}
Of course, if I'm running this during automation, there will be nothing to fill in the dialog with creds, nor do I want to be storing a copy of these creds, especially since these creds roll on a schedule which are maintained elsewhere. 当然,如果我在自动化过程中运行此程序,则不会在对话框中填充信用凭证,也不想存储这些信用凭证的副本,尤其是因为这些信用凭证按时间表进行维护(在其他地方维护)。
My thought was that I could create an Azure Service Principal, associate a cert with the service principal, install the cert on my deployment machine, login as the Service Principal if the cert was available, and then put that Service Principal in the "Tester" role. 我的想法是,我可以创建一个Azure服务主体,将证书与服务主体相关联,将该证书安装在我的部署计算机上,如果该证书可用,则以服务主体身份登录,然后将该服务主体放入“测试器”中。角色。 The problem is I can't add a Service Principal as a user in the Enterprise Application. 问题是我无法在企业应用程序中将服务主体添加为用户。 It only appears to allow me to add "Users and groups." 它似乎只允许我添加“用户和组”。 I similarly can't add a service principal to a group. 同样,我无法将服务主体添加到组中。
Any thoughts on how I can authorize my deployment box to hit these APIs? 关于如何授权我的部署箱使用这些API的任何想法?
Roles published for applications are treated as application permissions and not assignable to other apps via the "Users and Groups" assignment screen. 为应用程序发布的角色被视为应用程序权限 ,不能通过“用户和组”分配屏幕分配给其他应用程序。
To assign the app permissions to a client app, go to the client app's registration page, click on Api Permissions
and then Add a Permission
. 要将应用程序权限分配给客户端应用程序,请转到客户端应用程序的注册页面,单击“ Api Permissions
,然后单击“ Add a Permission
。 Select the My Api
tab, search for your application that published the app roles and you'd see the app role listed in the list below. 选择“ My Api
选项卡,搜索发布了应用程序角色的应用程序,您会在下面的列表中看到该应用程序角色。 Select that, save and then grant admin consent . 选择该选项,保存,然后授予管理员同意 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.