问题
We are currently developing a ETL solution in Azure Data Factory that requires calling out to an Azure Function App HTTP trigger. Out Data Factory instance has a Managed Identity configured and I was wondering how I can secure the Azure Function App to only allow access from the Data Factroy Managed Identity?
I have previously used Azure Function Apps System Assigned Managed Identities to access other resources (Key Vault) so I understand the basic concepts but I am struggling to understand if using System Assigned Managed Identities as a authorisation and authentication mechanism on Azure Function Apps is possible.
回答1:
Yes, you can, please follow the steps below.
1.Navigate to your function app in the portal -> Authentication / Authorization
-> configure it with Azure AD auth, follow this doc. Note: In Express
, we select Create New AD App
, it will reduce unnecessary trouble.
After configuration, it will be like below.
2.After a while, navigate to Azure Active Directory
in the portal -> App registrations
-> search for your function app name with the filter All applications
-> click it -> App roles | Preview
-> Create app role
-> create the role like below -> Apply
.
Navigate to Overview
-> click Managed application in local directory
.
In the Properties
-> set User assignment required?
to Yes
.
3.Use the powershell below to give the app role to your MSI(managed identity), replace the <datafactory-name>
and <functionapp-name>
.
Make sure you have installed the AzureAD powershell module and have enough permission to assign the app role.
Connect-AzureAD
$MSI = Get-AzureADServicePrincipal -Filter "displayName eq '<datafactory-name>'"
$funapp = Get-AzureADServicePrincipal -Filter "displayName eq '<functionapp-name>'"
$PermissionName = "Function.Test"
$approle = $funapp.AppRoles | Where-Object {$_.Value -eq $PermissionName}
New-AzureADServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $funapp.ObjectId -Id $approle.Id
4.Navigate to the httptrigger in your function app, set the Authorization level
to Anonymous
, because we have configured AAD auth.
5.Then in your ADF, create a web activity to test, use the settings like below.
URL - https://<functionapp-name>.azurewebsites.net/api/HttpTrigger1
Resource - https://<functionapp-name>.azurewebsites.net
Run it, it will work fine.
In this solution, we secure the function with the app role, if you don't give the role to your MSI i.e. step 3, the MSI will not be able to access the function, in another word, if you just give the role only to your MSI, only your MSI will be able to access the function.
来源:https://stackoverflow.com/questions/65178711/authorising-azure-function-app-http-endpoint-from-data-factory