如何在 Azure Function 中使用 Azure 托管标识通过触发器访问服务总线? [英] How to use Azure Managed Identity in Azure Function to access Service Bus with a trigger?
问题描述
我在 Azure 中创建了一个 ServiceBus 命名空间,以及一个主题和一个订阅.我还有一个简单的 Azure 版本 1 函数,它触发 ServiceBus 中接收到的主题,如下所示:
I have created a ServiceBus namespace in Azure, along with a topic and a subscription. I also have a simple Azure version 1 function that triggers on a received topic in the ServiceBus, like this:
[FunctionName("MyServiceBusTriggerFunction")]
public static void Run([ServiceBusTrigger("myTopic", "mySubscription", Connection = "MyConnection")]string mySbMsg, TraceWriter log)
{
log.Info($"C# ServiceBus topic trigger function processed message: {mySbMsg}");
}
当我使用主题的共享访问策略在函数应用程序设置中定义连接字符串时,该函数可以很好地触发 ServiceBus 中的主题,如下所示:
The function triggers nicely for the topics in the ServiceBus when I define the connection string in functions Application Settings by using Shared Access Policy for topic, like this:
Endpoint=sb://MyNamespace.servicebus.windows.net/;SharedAccessKeyName=mypolicy;SharedAccessKey=UZ...E0=
现在,我想使用托管服务标识 (MSI) 来访问 ServiceBus,而不是共享访问密钥.根据这个 (https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/services-support-msi) 应该是可能的,除非我误解了什么.不过我还没有设法让它工作.
Now, instead of Shared Access Keys, I would like to use Managed Service Identity (MSI) for accessing the ServiceBus. According to this (https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/services-support-msi) it should be possible, unless I have misunderstood something. I haven't managed to get it working though.
我尝试的是
- 在 Azure 门户中为我的函数设置托管服务标识开启"
- 在 Azure 门户中的 ServiceBus 访问控制部分中为函数赋予所有者角色
- 像这样设置 MyFunction 的连接字符串:Endpoint=sb://MyNamespace.servicebus.windows.net/
此设置中未触发该功能,所以我错过了什么或我做错了什么?如果您有任何建议可以帮助我走得更远,我将不胜感激.谢谢.
The function is not triggering in this set-up, so what am I missing or what am I doing wrong? I'd be grateful for any advice to help me get further. Thanks.
推荐答案
我错过了什么或我做错了什么?
what am I missing or what am I doing wrong?
您可能会混淆 MSI 和共享访问策略.它们使用不同的提供商来访问 Azure 服务总线.您可以仅使用连接字符串或仅使用 MSI 进行身份验证.
You may mix up with MSI and Shared Access Policy.They are using different provider to access to Azure servicebus. You could just use connectionstring or just use MSI to authenticate.
当您使用 Managed Service Identity(MSI) 进行身份验证时,您需要使用以下代码为托管服务身份创建令牌提供程序.
When you use Managed Service Identity(MSI) to authenticate, you need to create a token provider for the managed service identity with the following code.
TokenProvider.CreateManagedServiceIdentityTokenProvider(ServiceAudience.ServiceBusAudience).
这个TokenProvider 的实现使用 Microsoft.Azure.Services.AppAuthentication 库中的 AzureServiceTokenProvider.AzureServiceTokenProvider 将根据环境采用一定数量的不同方法来获取访问令牌.然后初始化客户端来操作服务总线.有关更多详细信息,您可以参考此 文章.
This TokenProvider's implementation uses the AzureServiceTokenProvider found in the Microsoft.Azure.Services.AppAuthentication library. AzureServiceTokenProvider will follow a set number of different methods, depending on the environment, to get an access token. And then initialize client to operate the servicebus.
For more details, you could refer to this article.
当您使用 servicebus connectionstring 访问其中使用共享访问令牌 (SAS) 令牌提供程序时,您可以直接操作.
When you use servicebus connectionstring to access which using the Shared Access Token (SAS) token provider, so you can operate directly.
这篇关于如何在 Azure Function 中使用 Azure 托管标识通过触发器访问服务总线?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
