stackoom
  简体   繁体   中英

Authorization for Azure Function using Managed Service Identity to fetch blob from Azure Storage container

 原文  2019-05-24 00:34:48       azure/ azure-active-directory/ azure-functions/ azure-storage-blobs

Question

When I attempt to invoke an Azure Function in an Azure Function App using a system assigned managed identity to fetch a blob from an Azure Storage container, I'm encountering:

System.Private.CoreLib: Exception while executing function:<FunctionName>. Microsoft.WindowsAzure.Storage: Unauthorized.

I'm adapting the approach outlined here .

Here's the code: 

[FunctionName("TestFetchTileViaSvcPrinId")]
public static async Task<HttpResponseMessage> RunAsync(
    [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
    ILogger log) {
    log.LogInformation("C# HTTP trigger function processed a request.");

    const string blobName = "https://<storageaccount>.blob.core.windows.net/...path.../<file>.jpg";

    // Get the initial access token and the interval at which to refresh it.
    var azureServiceTokenProvider = new AzureServiceTokenProvider();
    NewTokenAndFrequency tokenAndFrequency = TokenRenewerAsync(azureServiceTokenProvider, CancellationToken.None).GetAwaiter().GetResult();

    // Create storage credentials using the initial token, and connect the callback function to renew the token just before it expires
    var tokenCredential = new TokenCredential(tokenAndFrequency.Token, TokenRenewerAsync, azureServiceTokenProvider, tokenAndFrequency.Frequency.Value);

    var storageCredentials = new StorageCredentials(tokenCredential);

    var cloudBlockBlob = new CloudBlockBlob(new Uri(blobName), storageCredentials);

    using (var memoryStream = new MemoryStream()) {
        await cloudBlockBlob.DownloadToStreamAsync(memoryStream);  // Unauthorized exception is thrown here
        var httpResponseMessage = new HttpResponseMessage(HttpStatusCode.OK) {
            Content = new ByteArrayContent(memoryStream.ToArray())
        };
        httpResponseMessage.Headers.Add("Cache-Control", "max-age=31536000"); //31536000 seconds ~ 1 year
        httpResponseMessage.Content.Headers.ContentType = new MediaTypeHeaderValue("image/jpeg");
        return httpResponseMessage;
    }

}

The Azure Function App has a system assigned managed identity which has Storage Blob Data Contributor role for the target blob's entire storage account.

1 answers

solution1
 0 ACCPTED  2019-05-24 14:21:09

I got this working. As Rohit noticed, the redacted full-path to the blob (as originally posted) incorrectly specified the Azure function path rather than the storage account path. I've subsequently fixed up the question. Nevertheless, I did have a typo in the path as implemented. Correcting the path resolved the issue.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Allow Keyless Authorization from Managed Service Identity to Azure Function Call Azure Function from Data Factory using Managed Service Identity Upload files to Azure Storage from Azure VM using SDK azblob and Managed Service Identity Azure PHP web app using system assigned managed identity connecting to Azure Storage Blob Azure Blob Storage Authorization Authenticate Azure Table storage from ADF using Service Principle or Managed Identity Authenticate from Azure Logic app to Azure Function using Managed Identity Accessing Azure Storage from VM using Managed Identity Azure Media Service Submit JobInputHttp from a private blob storage container Connecting Azure SQL database using managed identity from container instance
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM