Allow Keyless Authorization from Managed Service Identity to Azure Function
Question
Imagine that I have:
An Azure Function ( func ) that exposes an http endpoint ( api1 )
An Azure App Service ( service1 ) that has a Managed Service Identity configured ( msi1 )
I would like to configure everything in such a way that service1 can make an HTTP request to api1 , and api1 knows that the request is coming from msi1 . Furthermore, I would like to be able to configure service1 in the Azure portal to either allow or disallow access to api1 .
Basically I want to configure which app services have access to which functions (or vice-versa) as much as possible in the Azure portal, without having to create and manage API tokens or keys in application settings.
I would like to stress that this is service-to-service - service1 does not request any login information from its users.
I believe that this should be possible, but most of the documentation that I have come across describes situations in which a user logs in via Microsoft/Facebook/Google/Whatever and gets an access token in that way. I know that I can use client credentials on an application registration to create a valid bearer token; but that shouldn't be necessary because service1 is executing under the security context of msi1 .
1 answers
solution1
0 ACCPTED 2019-01-21 09:48:17
As juunas said, you could refer to his article to secure azure function from app service using a managed identity.
Register your api1 as app in AAD and using powershell to assign permission to the service1 MSI. It seems that assigning permission to MSI is not supported on Portal, so you could just use powershell to assign it. Here is a similar thread that assign permission to MSI you could refer to.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.