[英]Azure API Management + Azure Function and managed identity
I'm trying to call an Azure function from an API Management instance by using Managed Identity.我正在尝试使用托管标识从 API 管理实例调用 Azure 函数。 I have set a System Managed Identity to my APIM instance.
我已经为我的 APIM 实例设置了系统管理标识。 I have granted the Contributor role to this identity on the Azure Function App.
我已在 Azure Function App 上向此身份授予贡献者角色。 I have also change the App Service Authentication to AD.
我还将应用服务身份验证更改为 AD。
Now I'm trying to call the function from an API.现在我正在尝试从 API 调用该函数。
I have two issues:我有两个问题:
Maybe I'm just trying to get a token on the wrong audience, but unfortunately the audience of functions is not listed in the document (for service bus for example, there is a common URI to use, also for KeyVault, ...).也许我只是想在错误的受众上获取令牌,但不幸的是,文档中没有列出函数的受众(例如,对于服务总线,有一个通用的 URI 可供使用,也用于 KeyVault,...) .
I think that I probably missed something in the picture... Thanks.我想我可能错过了图片中的某些内容...谢谢。
You need to use the authentication-managed-identity
policy to authenticate with a backend service using the managed identity of the API Management service.您需要使用
authentication-managed-identity
策略通过 API 管理服务的托管身份向后端服务进行身份验证。
https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#ManagedIdentity https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#ManagedIdentity
EDIT编辑
1-In your APIM application on Azure AD, grab the Application ID assigned for enterprise application. 1-在 Azure AD 上的 APIM 应用程序中,获取为企业应用程序分配的应用程序 ID。
2-Then go to Platform features in your Azure Function App, and click on Authentication / Authorization. 2-然后转到 Azure Function App 中的平台功能,然后单击身份验证/授权。
3-Select Azure Active Directory as the authentication provider, and the management mode "express". 3-选择Azure Active Directory作为身份验证提供者,管理模式为“express”。
4-Back to authentication-managed-identity policy, set the Application ID from step 1 as the resource. 4-返回到身份验证管理身份策略,将步骤 1 中的应用程序 ID 设置为资源。
you need to add the url in apim required resource.您需要在 apim 所需资源中添加 url。 If you're planning to use delegated flow.
如果您打算使用委托流。 To check if the issue is with the url registration you can use the AppId instead.
要检查问题是否与 url 注册有关,您可以改用 AppId。 This will at least tell you if the token can be retrieved.
这至少会告诉您是否可以检索令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.