授予Azure Function对ARM REST API的访问权限

时间:2018-06-26 07:34:19

标签: azure azure-functions azure-resource-manager azure-sql-server

今年早些时候,我创建了一个Azure函数,该函数使用Azure REST API以编程方式复制数据库。该方法有效,但由于某种原因现在已停止工作。

要进行身份验证,Azure函数中的代码将获取一个身份验证令牌...

var azureServiceTokenProvider = new AzureServiceTokenProvider();
var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/");
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

我们在Azure门户中做了一些其他事情,以授予Azure Function权限来执行此操作。我记得从下拉菜单中选择了Azure函数本身(我在Access Control (IAM)面板之一中认为)。不幸的是,我不记得自己做了什么。

这突然停止工作,并且Azure Function无法说出...

Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried the following 4 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "D:\local\LocalAppData\.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
operable program or batch file.

Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. get_user_name_failed: Failed to get user name
Inner Exception : The format of the specified domain name is invalid

调用栈显示出我上面的代码段中的AzureServiceTokenProvider.GetAccessTokenAsync()中存在错误。

我没有更改代码中的任何内容,但是团队中的其他人可能已经在Azure中重新创建了内容-导致我们需要重做在门户(如上所述)中所做的任何事情。

在执行此操作时,我也找不到本应遵循的文章。无论我访问哪个IAM面板(无论是订阅本身还是sql服务器实例),我都可以选择Assign assess to Function App,但它始终显示No Function App in this resource group can be assigned access.

enter image description here

有什么主意我想念的吗?如何授予功能应用程序向数据库管理发出资源管理器REST请求的权限?

1 个答案:

答案 0 :(得分:2)

根据您的描述,似乎Azure功能MSI已关闭。您可以尝试使用Azure功能平台功能打开MSI功能。

enter image description here

如果我们要操作Azure数据库,正如您提到的,我们需要为Azure数据库服务器设置IAM,以允许Azure函数操作数据库资源。

如果MSI位于Azure功能上,我们可以在下拉列表中找到Azure功能。

enter image description here

我也为此做了一个演示。我测试了list databases by server API。它在我这边正常工作。

enter image description here