从Data Factory授权Azure Function App Http终结点 [英] Authorising Azure Function App Http endpoint from Data Factory
问题描述
我们当前正在Azure数据工厂中开发ETL解决方案,该解决方案需要调用Azure Function App HTTP触发器.Out Data Factory实例配置了托管身份,我想知道如何保护Azure Function应用程序使其仅允许从Data Factroy托管身份进行访问?
我以前使用过Azure Function Apps系统分配的托管身份来访问其他资源(Key Vault),所以我了解基本概念,但是我很难理解是否将System Assigned Managed Identitys用作Azure Function Apps的授权和身份验证机制可能.
是的,可以,请按照以下步骤操作.
1.在门户中导航至功能应用程序->身份验证/授权->使用Azure AD身份验证对其进行配置,请遵循以下
2.过一会儿后,在门户中导航到 Azure Active Directory ->应用注册->使用过滤器所有应用程序->搜索您的功能应用程序名称.点击它->应用角色|预览->创建应用角色->创建如下角色->应用.
导航到概述->单击本地目录中的托管应用程序.
在属性->中将是否需要用户分配?设置为是.
3.使用下面的Powershell为您的MSI(托管身份)赋予应用角色,替换< datafactory-name> 和< functionapp-name> >.
确保已安装
4.导航至功能应用程序中的httptrigger,将 Authorization level (授权级别)设置为 Anonymous ,因为我们已经配置了AAD auth.
5.然后在ADF中创建一个网络活动以进行测试,并使用以下设置.
URL-https://< functionapp-name> .azurewebsites.net/api/HttpTrigger1资源-https://< functionapp-name> .azurewebsites.net
运行它,它将正常工作.
在此解决方案中,我们使用应用程序角色来保护功能,如果您不将该角色赋予您的MSI,即步骤3,则MSI将无法访问该功能,换句话说,如果您仅给出该角色只属于您的MSI,只有您的MSI才能访问该功能.
We are currently developing a ETL solution in Azure Data Factory that requires calling out to an Azure Function App HTTP trigger. Out Data Factory instance has a Managed Identity configured and I was wondering how I can secure the Azure Function App to only allow access from the Data Factroy Managed Identity?
I have previously used Azure Function Apps System Assigned Managed Identities to access other resources (Key Vault) so I understand the basic concepts but I am struggling to understand if using System Assigned Managed Identities as a authorisation and authentication mechanism on Azure Function Apps is possible.
Yes, you can, please follow the steps below.
1.Navigate to your function app in the portal -> Authentication / Authorization -> configure it with Azure AD auth, follow this doc. Note: In Express, we select Create New AD App, it will reduce unnecessary trouble.
After configuration, it will be like below.
2.After a while, navigate to Azure Active Directory in the portal -> App registrations -> search for your function app name with the filter All applications -> click it -> App roles | Preview -> Create app role -> create the role like below -> Apply.
Navigate to Overview -> click Managed application in local directory.
In the Properties -> set User assignment required? to Yes.
3.Use the powershell below to give the app role to your MSI(managed identity), replace the <datafactory-name> and <functionapp-name>.
Make sure you have installed the AzureAD powershell module and have enough permission to assign the app role.
Connect-AzureAD
$MSI = Get-AzureADServicePrincipal -Filter "displayName eq '<datafactory-name>'"
$funapp = Get-AzureADServicePrincipal -Filter "displayName eq '<functionapp-name>'"
$PermissionName = "Function.Test"
$approle = $funapp.AppRoles | Where-Object {$_.Value -eq $PermissionName}
New-AzureADServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $funapp.ObjectId -Id $approle.Id
4.Navigate to the httptrigger in your function app, set the Authorization level to Anonymous, because we have configured AAD auth.
5.Then in your ADF, create a web activity to test, use the settings like below.
URL - https://<functionapp-name>.azurewebsites.net/api/HttpTrigger1
Resource - https://<functionapp-name>.azurewebsites.net
Run it, it will work fine.
In this solution, we secure the function with the app role, if you don't give the role to your MSI i.e. step 3, the MSI will not be able to access the function, in another word, if you just give the role only to your MSI, only your MSI will be able to access the function.
这篇关于从Data Factory授权Azure Function App Http终结点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
