使用MSI的Azure功能-错误请求令牌 [英] Azure Function using MSI - Error Requesting Token
问题描述
我在Azure中具有一个功能,该功能已启用MSI(托管服务标识),我正尝试使用该功能来访问基于Azure的WebAPI(应用程序服务WebApp),而该API又启用了Azure AD身份验证(所有相同的Azure目录)
I have a Function in Azure, which has MSI (Managed Service Identity) enabled which I am trying to use to access an Azure based WebAPI (App Service WebApp) which in turn has Azure AD Authentication enabled (all same Azure Directory).
我的WebAPI已注册了Azure应用,因此可以使用AAD身份验证.
My WebAPI has an Azure App registered so it can use AAD Authentication.
此应用程序的清单中还配置了必要的AppRoles(对于用户"类型和应用程序"类型).
This app also has the necessary AppRoles configured in its Manifest (for types 'User' and for 'Application').
我还验证了在功能上启用MSI后在Azure AD中成功创建了功能标识(app).
I have also verified that the Functions Identity (app) was successfully created in Azure AD when I enabled MSI on the Function.
当我尝试使用MSI在我的函数中获取令牌时,我收到400错误的请求响应/错误:
When I try to obtain a token within my Function using MSI i receive a 400 Bad Request response / error:
"ExceptionMessage":"AADSTS50105:未将应用程序"###"分配给应用程序"###"的角色
"ExceptionMessage": "AADSTS50105: Application '###' is not assigned to a role for the application '###'
"ErrorCode":"invalid_grant"
"ErrorCode": "invalid_grant"
我确保传递的资源"值是我的webAPI应用ID URI.
I have ensured the Resource value I pass in is my webAPIs app ID URI.
string resource = "<My App URI>";
string apiversion = "2017-09-01";
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));
var r = await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));
return r;
但是我仍然遇到相同的错误.请求令牌的代码很好,并且该错误实际上指向权限问题.
But I still get the same error. The code for requesting a token is fine, and the error does infact point towards a permissions issue.
我无法做的一件事(我想这是问题所在)是找到一种向用户和用户添加新的MSI/功能标识的方法. webAPIs Azure应用程序的组.无论我尝试什么,当我搜索功能应用程序身份"以添加为webAPI应用程序的成员(具有应用程序"角色)时,功能"应用程序身份都不会出现在用户"列表中.
The one thing I have not been able to do (and I guess this is the problem) is find a way to give add the new MSI/Function Identity to the Users & Groups of the webAPIs Azure App. No matter what I try my Functions App Identity does not appear in the Users list when I search for it to add as a member of the webAPI app (with the Application role).
有人对我为什么不能将功能MSI添加到Apps Users提出任何建议吗?组还是Azure AD组?
Does anyone have any suggestions as to why I cannot add the Functions MSI to an Apps Users & Groups or to an Azure AD Group?
还是我做错了其他事情?
Or am I doing something else wrong perhaps?
推荐答案
Juuna was spot on in his response to my original post:
在服务上启用MSI时,只会在Azure AD中创建一个服务主体,因此当尝试将SP添加为组成员或用户&用户名时,这不会出现在搜索结果中. Azure AD应用程序的组.
When enabling MSI on a service only a Service Principal is created in Azure AD and as such this wont appear in search results when trying to add the SP as a member of a Group or to User & Groups of an Azure AD App.
要将您的MSI创建的服务主体权限分配给您的应用,您需要:
In order to assign your MSI created Service Principal permissions to your App you need to:
- Edit your apps manifest and ensure you have app roles with allowed member type = "Application"
- Run the PowerShell cmdlet "New-AzureADServiceAppRoleAssignment (link) to grant your Service Principal the Application role you added to your apps manifest
- Within your MSI enabled service re-try requesting a token
对于我来说,按照上述步骤,我现在可以成功地从我的函数中请求应用程序令牌,以便我的同一个Azure函数可以调用我的WebApp(已启用AAD身份验证).
For me, following the above, I can now successfully request app tokens from my Function so my same Azure Function can call my WebApp (which is AAD Authentication enabled).
这篇关于使用MSI的Azure功能-错误请求令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
