使用托管身份从Azure Logic应用验证到Azure功能 [英] Authenticate from Azure Logic app to Azure Function using Managed Identity

问题描述

我正在尝试为Logic App和Azure Function配置安全性. Azure函数具有一个HTTP触发器.到目前为止，我已经执行了以下操作:

I am trying to configure the security for a Logic App and Azure Function. The Azure Function has an HTTP Trigger. So far I have done the following:

1. 使用一些基本功能创建了Azure功能(在请求登录时写入查询).
2. 创建了逻辑应用程序(重复触发，用于触发Azure功能的HTTP)
3. 测试Logic App成功调用了Azure函数
4. 向逻辑应用添加了托管身份
5. 在Azure Function App上启用Azure AD身份验证/授权，并使用快速配置，该配置在Azure AD中为Function App创建了App Registration.
6. 在Logic App中的HTTP操作中添加了托管身份作为身份验证方法.

当我运行Logic App时，它表明HTTP操作失败，因为它是未经授权的.谁能告诉我我想念的东西吗?我已经找到了一些有关如何使用类似方法访问KeyVault的教程，但是对于Azure Function则没有.我觉得我需要告诉应用程序注册Logic App的托管身份具有权限，但是我不知道这是否正确，也不知道该怎么做.

When I run the Logic App it shows that the HTTP action fails because it's unauthorized. Can anyone tell me what I'm missing? I've found a few tutorials on how to access a KeyVault (for example) using a similar approach, but nothing for an Azure Function. I feel like I need to tell the App Registration that the Managed Identity for the Logic App has permissions, but I don't know if this is correct, nor how to do it.

推荐答案

首先，要克服Logic App调用Azure函数时当前遇到的未授权错误，您需要确保Logic App正在获取令牌以正确验证功能.

Firstly, to get past the unauthorized error that you're currently getting when Logic App calls your Azure Function, you need to make sure that your Logic App is acquiring the token to authenticate to the Function correctly.

我迅速尝试了一个具有托管身份的逻辑应用程序(如您的设置)，以调用启用了Azure AD身份验证的Azure功能.这是要执行的详细步骤.

I quickly tried out a logic app with Managed Identity like your setup to call an Azure Function with Azure AD authentication enabled. Here are the detailed steps to follow.

1. 在您的逻辑应用程序中添加一个HTTP操作，该操作将用于调用您的Azure函数
2. 在我的情况下，这是一个简单的GET调用，其URL如https://<myfunctionapp>.azurewebsites.net/api/simplefunction
3. 在身份验证"中选择"Managed Identity
"

4. 然后添加新参数并选择Audience复选框

1. Add an HTTP Action in your Logic App, that will be used to call your Azure Function
2. In my case it was a simple GET Call with a URL like https://<myfunctionapp>.azurewebsites.net/api/simplefunction
3. In Authentication select Managed Identity

4. Then add new parameter and select Audience checkbox

将用于功能应用程序的Azure AD应用程序注册的Audience参数的值更改为APP ID URI.就我而言，该值看起来像https://<myazureadtenant>.onmicrosoft.com/GUID

Change the value for Audience parameter to APP ID URI for your function app's Azure AD app registration. In my case this value looked like https://<myazureadtenant>.onmicrosoft.com/GUID

您可以在Azure门户> Azure AD>应用程序注册>功能应用程序的注册>设置>属性中找到此APP ID URI值

You can find this APP ID URI value from Azure Portal > Azure AD > App Registrations > Registration for your function app > Settings > Properties

在这一点上，您应该能够测试您的逻辑应用程序，并且至少可以对Azure Function进行罚款(除非您的Azure Function仅限于某些调用者或需要特定的权限，稍后对此进行更多介绍.)

At this point, you should be able to test your logic app and at least call the Azure Function fine (unless your Azure Function restricts to only certain callers or requires specific permissions, more on that shortly.)

这是我的情况下完整HTTP动作的外观.

Here is how the full HTTP action looks in my case.

接下来，一旦从Logic App(具有托管身份)到您的Azure Function的基本调用得到正确的身份验证，问题就在于，任何应用程序都可以调用您的Azure Function，还是只应允许具有特定权限的某些调用者.

Next, once the basic call from Logic App (with Managed Identity) to your Azure Function is getting authenticated properly, question is that should any application be able to call your Azure Function or should only certain callers with specific permissions be allowed.

我在本SO帖子中用2种方法详细回答了这一部分-

I have answered this part in detail with 2 approaches in this SO Post - Is there a way to secure an Azure Function that will only be called from a specific Azure Logic App?. Second approach in that answer is very declarative and you can even create multiple different application roles for different types of callers if needed for your function.

这篇关于使用托管身份从Azure Logic应用验证到Azure功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！