简体繁体 English

Azure API 管理 + Azure 函数和托管标识

[英]Azure API Management + Azure Function and managed identity

原文 2020-01-15 18:41:28 2 2 azure/ azure-functions/ azure-api-management/ azure-managed-identity

I'm trying to call an Azure function from an API Management instance by using Managed Identity.我正在尝试使用托管标识从 API 管理实例调用 Azure 函数。 I have set a System Managed Identity to my APIM instance.我已经为我的 APIM 实例设置了系统管理标识。 I have granted the Contributor role to this identity on the Azure Function App.我已在 Azure Function App 上向此身份授予贡献者角色。 I have also change the App Service Authentication to AD.我还将应用服务身份验证更改为 AD。

Now I'm trying to call the function from an API.现在我正在尝试从 API 调用该函数。

I have two issues:我有两个问题：

First One: when I use the authentication-managed-identity policy to get a token, I got an error when I use the audience https://myfunctionapp.azurewebsites.net .第一个：当我使用身份验证管理身份策略获取令牌时，我在使用受众https://myfunctionapp.azurewebsites.net时出现错误。 AD tells me that this app is not registered in the tenant AD 告诉我这个应用程序没有在租户中注册
Second: If I retrieve a token for https://management.azure.com , I got a token but I received a 401 Unauthorized error from the Azure Function.第二：如果我为https://management.azure.com检索令牌，我得到了一个令牌，但我收到了来自 Azure 函数的 401 Unauthorized 错误。

Maybe I'm just trying to get a token on the wrong audience, but unfortunately the audience of functions is not listed in the document (for service bus for example, there is a common URI to use, also for KeyVault, ...).也许我只是想在错误的受众上获取令牌，但不幸的是，文档中没有列出函数的受众（例如，对于服务总线，有一个通用的 URI 可供使用，也用于 KeyVault，...） .

I think that I probably missed something in the picture... Thanks.我想我可能错过了图片中的某些内容...谢谢。

2 个解决方案

You need to use the authentication-managed-identity policy to authenticate with a backend service using the managed identity of the API Management service.您需要使用authentication-managed-identity策略通过 API 管理服务的托管身份向后端服务进行身份验证。

https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#ManagedIdentity https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#ManagedIdentity

EDIT编辑

1-In your APIM application on Azure AD, grab the Application ID assigned for enterprise application. 1-在 Azure AD 上的 APIM 应用程序中，获取为企业应用程序分配的应用程序 ID。

2-Then go to Platform features in your Azure Function App, and click on Authentication / Authorization. 2-然后转到 Azure Function App 中的平台功能，然后单击身份验证/授权。

3-Select Azure Active Directory as the authentication provider, and the management mode "express". 3-选择Azure Active Directory作为身份验证提供者，管理模式为“express”。

4-Back to authentication-managed-identity policy, set the Application ID from step 1 as the resource. 4-返回到身份验证管理身份策略，将步骤 1 中的应用程序 ID 设置为资源。

you need to add the url in apim required resource.您需要在 apim 所需资源中添加 url。 If you're planning to use delegated flow.如果您打算使用委托流。 To check if the issue is with the url registration you can use the AppId instead.要检查问题是否与 url 注册有关，您可以改用 AppId。 This will at least tell you if the token can be retrieved.这至少会告诉您是否可以检索令牌。