stackoom
  简体   繁体   中英

Azure API Management + Azure Function and managed identity

 原文  2020-01-15 18:41:28       azure/ azure-functions/ azure-api-management/ azure-managed-identity

Question

I'm trying to call an Azure function from an API Management instance by using Managed Identity. I have set a System Managed Identity to my APIM instance. I have granted the Contributor role to this identity on the Azure Function App. I have also change the App Service Authentication to AD.

Now I'm trying to call the function from an API.

I have two issues:

  1. First One: when I use the authentication-managed-identity policy to get a token, I got an error when I use the audience https://myfunctionapp.azurewebsites.net . AD tells me that this app is not registered in the tenant
  2. Second: If I retrieve a token for https://management.azure.com , I got a token but I received a 401 Unauthorized error from the Azure Function.

Maybe I'm just trying to get a token on the wrong audience, but unfortunately the audience of functions is not listed in the document (for service bus for example, there is a common URI to use, also for KeyVault, ...).

I think that I probably missed something in the picture... Thanks.

2 answers

solution1
 5  2020-01-15 20:19:31

You need to use the authentication-managed-identity policy to authenticate with a backend service using the managed identity of the API Management service.

https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies#ManagedIdentity

EDIT

1-In your APIM application on Azure AD, grab the Application ID assigned for enterprise application.

2-Then go to Platform features in your Azure Function App, and click on Authentication / Authorization.

3-Select Azure Active Directory as the authentication provider, and the management mode "express".

4-Back to authentication-managed-identity policy, set the Application ID from step 1 as the resource.

solution2
 0  2020-01-24 23:47:26

you need to add the url in apim required resource. If you're planning to use delegated flow. To check if the issue is with the url registration you can use the AppId instead. This will at least tell you if the token can be retrieved.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is managed identity available for communication between API Management service and Azure functions? Is it possible to enable Managed Identity between Azure function and Azure Web API? Calling API from python azure function with managed identity Calling Azure function from VM using managed identity and REST API How do I specify a user-assigned managed identity in Azure API Management Incomplete bearer token when using authentication-managed-identity tag in azure api management Unable to create Azure function with Managed Identity User assigned managed identity with azure function - is it possible? Managed Service Identity not working as expected in Azure Function Managed identity Azure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM