问题
I am trying to configure the security for a Logic App and Azure Function. The Azure Function has an HTTP Trigger. So far I have done the following:
- Created the Azure Function with some basic functionality (write query in request to log).
- Created the Logic App (recurrence trigger, HTTP to trigger the Azure Function)
- Tested that the Logic App successfully calls the Azure Function
- Added a managed identity to the Logic App
- Enabled Azure AD Authentication/Authorisation on the Azure Function App and used the express configuration which created the App Registration in Azure AD for the Function App.
- Added Managed Identity as the Authentication method in the HTTP action within the Logic App.
When I run the Logic App it shows that the HTTP action fails because it's unauthorized. Can anyone tell me what I'm missing? I've found a few tutorials on how to access a KeyVault (for example) using a similar approach, but nothing for an Azure Function. I feel like I need to tell the App Registration that the Managed Identity for the Logic App has permissions, but I don't know if this is correct, nor how to do it.
回答1:
Firstly, to get past the unauthorized error that you're currently getting when Logic App calls your Azure Function, you need to make sure that your Logic App is acquiring the token to authenticate to the Function correctly.
I quickly tried out a logic app with Managed Identity like your setup to call an Azure Function with Azure AD authentication enabled. Here are the detailed steps to follow.
- Add an HTTP Action in your Logic App, that will be used to call your Azure Function
- In my case it was a simple GET Call with a URL like
https://<myfunctionapp>.azurewebsites.net/api/simplefunction - In Authentication select
Managed Identity Then add new parameter and select
AudiencecheckboxChange the value for
Audienceparameter to APP ID URI for your function app's Azure AD app registration. In my case this value looked likehttps://<myazureadtenant>.onmicrosoft.com/GUIDYou can find this APP ID URI value from Azure Portal > Azure AD > App Registrations > Registration for your function app > Settings > Properties
At this point, you should be able to test your logic app and at least call the Azure Function fine (unless your Azure Function restricts to only certain callers or requires specific permissions, more on that shortly.)
Here is how the full HTTP action looks in my case.
Next, once the basic call from Logic App (with Managed Identity) to your Azure Function is getting authenticated properly, question is that should any application be able to call your Azure Function or should only certain callers with specific permissions be allowed.
I have answered this part in detail with 2 approaches in this SO Post - Is there a way to secure an Azure Function that will only be called from a specific Azure Logic App?. Second approach in that answer is very declarative and you can even create multiple different application roles for different types of callers if needed for your function.
来源:https://stackoverflow.com/questions/55739326/authenticate-from-azure-logic-app-to-azure-function-using-managed-identity