Azure Function 函数如何使用托管标识获取对 Azure 表存储的引用？

Question

I have an Azure Function that has been assigned a System Identity:我有一个已分配系统标识的 Azure 函数：

I would like the Azure Function to access a Storage account.我希望 Azure 函数访问存储帐户。 The Function has the Reader & Data Access role on that storage account:该函数在该存储帐户上具有Reader & Data Access角色：

The Function has been configured with the name of the Storage account to use.函数已配置为要使用的存储帐户的名称。 The Function then tries to get an instance of CloudTableClient:然后，该函数尝试获取 CloudTableClient 的实例：

public async Task InitAsync(string accountsStorageName)
{
    var azureServiceTokenProvider = new AzureServiceTokenProvider();
    string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync(accountsStorageName);
    
    var storageCredential = new StorageCredentials(accessToken);
    var storageAccount = new CloudStorageAccount(storageCredential, accountsStorageName, "core.windows.net", true);
                
     //  Gets the client to the account's Table storage.
    m_tableClient = storageAccount.CreateCloudTableClient();
}

Question题

The above code fails because it is unable to get an access token:上面的代码失败，因为它无法获取访问令牌：

How can an Azure Function get a reference to Azure Table storage using Managed Identity? Azure 函数如何使用托管标识获取对 Azure 表存储的引用？

Answer 1

Azure key vault can generate shared access signature tokens. Azure Key Vault 可以生成共享访问签名令牌。 A shared access signature provides delegated access to resources in your storage account.共享访问签名提供对存储帐户中资源的委派访问。 You can grant clients access to resources in your storage account without sharing your account keys.您可以授予客户端访问您的存储帐户中的资源的权限，而无需共享您的帐户密钥。 For more details, please refer to here欲知更多详情，请参阅此处

Set an account shared access signature definition设置账户共享访问签名定义

$storageAccountName = ""
$keyVaultName = ""
$storageContext = New-AzStorageContext -StorageAccountName $storageAccountName -Protocol Https -StorageAccountKey Key1
$start = [System.DateTime]::Now.AddDays(-1)
$end = [System.DateTime]::Now.AddMonths(1)

$sasToken = New-AzStorageAccountSasToken -Service blob,file,Table,Queue -ResourceType Service,Container,Object -Permission "racwdlup" -Protocol HttpsOnly -StartTime $start -ExpiryTime $end -Context $storageContext


Set-AzKeyVaultManagedStorageSasDefinition -AccountName $storageAccountName -VaultName $keyVaultName -Name "<YourSASDefinitionName>" -TemplateUri $sasToken -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(30))

Configure access policy for Azure Function为 Azure Function 配置访问策略

Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId "Azure Function MSI object id" -PermissionsToSecrets get,list

code代码

  public static class Http
    {
        [FunctionName("Http")]
        public static async Task<IActionResult> Run(
            [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
            ILogger log, ExecutionContext context)
        {
            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

            SecretBundle sasToken =await kv.GetSecretAsync(secretIdentifier: "https://testkey02.vault.azure.net:443/secrets/teststorage08-sasToken");
            var storageCredential = new StorageCredentials(sasToken.Value);
            var accountsStorageName = "teststorage08";
            var storageAccount = new CloudStorageAccount(storageCredential, accountsStorageName, "core.windows.net", true);

            var tableClient = storageAccount.CreateCloudTableClient();
            var table =tableClient.GetTableReference("Customer");
            await table.CreateIfNotExistsAsync();
            CustomerEntity customer = new CustomerEntity("Harp", "Walter")
            {
                Email = "Walter@contoso.com",
                PhoneNumber = "425-555-0101"
            };

            TableOperation insertOrMergeOperation = TableOperation.InsertOrMerge(customer);
            TableResult result = await table.ExecuteAsync(insertOrMergeOperation);
            CustomerEntity insertedCustomer = result.Result as CustomerEntity;

            return new OkObjectResult(insertedCustomer);

        }       
    }

    public class CustomerEntity : TableEntity
    {
        public CustomerEntity()
        {
        }

        public CustomerEntity(string lastName, string firstName)
        {
            PartitionKey = lastName;
            RowKey = firstName;
        }

        public string Email { get; set; }

        public string PhoneNumber { get; set; }
    }

Azure Function 函数如何使用托管标识获取对 Azure 表存储的引用？

问题描述

1 个解决方案

解决方案1
1 已采纳 2020-11-09 05:14:57

Azure Function 函数如何使用托管标识获取对 Azure 表存储的引用？

问题描述

1 个解决方案

解决方案1 1 已采纳 2020-11-09 05:14:57

解决方案1
1 已采纳 2020-11-09 05:14:57