我的工作特别是要使用AzureDevOps构建代理以默认配置完全自动化操作。
我正在尝试使用App Service托管身份(https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity)访问SQL数据库。
整个资源组由AzureDevOps构建代理在单个部署期间创建。
我的部署的简化版:
New-AzResourceGroup `
-Name $Env:RESOURCEGROUP_NAME `
-Location $Env:AZURE_REGION_COMMON `
-Force
#Create the functionapp
New-AzResource `
-ResourceGroupName $Env:RESOURCEGROUP_NAME `
-location $Env:AZURE_REGION_COMMON `
-ResourceName $Env:APPFUNCTIONS_NAME_SAFE `
-Kind 'functionapp' `
-ResourceType 'Microsoft.Web/Sites' `
-Properties @{} `
-Force
#Apply the Managed Service Identity
Set-AzWebApp `
-ResourceGroupName $Env:RESOURCEGROUP_NAME `
-Name $Env:APPFUNCTIONS_NAME_SAFE `
-AssignIdentity $true
# Create Sql Server
New-AzSqlServer `
-ResourceGroupName $Env:RESOURCEGROUP_NAME `
-location $Env:AZURE_REGION_COMMON `
-ServerName $Env:SQLSERVER_NAME_SAFE `
-ServerVersion $Env:SQLSERVER_VERSION `
-SqlAdministratorCredentials (New-Object `
-TypeName System.Management.Automation.PSCredential `
-ArgumentList $Env:SQLSERVER_ADMIN_USERNAME, (ConvertTo-SecureString -String $Env:SQLSERVER_ADMIN_PASSWORD -AsPlainText -Force)) `
-AssignIdentity
#Update Sql Server Firewall Rules for Azure
New-AzSqlServerFirewallRule `
-ResourceGroupName $Env:RESOURCEGROUP_NAME `
-ServerName $Env:SQLSERVER_NAME_SAFE `
-AllowAllAzureIPs
#Update Sql Server Firewall Rules for non-Azure build machine
$ip = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
New-AzSqlServerFirewallRule `
-ResourceGroupName $Env:RESOURCEGROUP_NAME `
-ServerName $Env:SQLSERVER_NAME_SAFE `
-FirewallRuleName "BuildMachine" `
-StartIpAddress $ip `
-EndIpAddress $ip
#Create Sql Database
New-AzSqlDatabase `
-ResourceGroupName $Env:RESOURCEGROUP_NAME `
-ServerName $Env:SQLSERVER_NAME_SAFE `
-DatabaseName $Env:SQLSERVER_DATABASE_NAME
在这一点上;我找不到构建代理可以运行以授予身份标识数据库权限的任何Powershell。
我确实找到了一些建议,建议在数据库上运行类似的内容
CREATE USER [$Env:APPFUNCTIONS_NAME_SAFE] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [$Env:APPFUNCTIONS_NAME_SAFE]
ALTER ROLE db_datawriter ADD MEMBER [$Env:APPFUNCTIONS_NAME_SAFE]
这是我一直专注于努力的地方。
当我以数据库管理员身份登录数据库时(请参见上面的SqlAdministratorCredentials),然后出现以下异常
Exception calling "ExecuteNonQuery" with "0" argument(s): "Principal '<value of Env:$APPFUNCTIONS_NAME_SAFE>' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
要解决这个问题,我手动添加了一个AAD组,即与该组的azure devops服务连接。这使生成代理可以通过AAD向Sql Server进行身份验证。
再次部署,我得到System.Management.Automation.MethodInvocationException: Exception calling "Open" with "0" argument(s): "One or more errors occurred." ---> System.AggregateException: One or more errors occurred. ---> System.AggregateException: One or more errors occurred. ---> AdalException: No mapping between account names and security IDs was done.
这带给我-如何自动将AppService身份验证到Sql数据库?
这是我作为构建代理执行SQL的方式
function Get-SqlServer{
Get-AzSqlServer `
-ResourceGroupName $Env:RESOURCEGROUP_NAME `
-ServerName $Env:SQLSERVER_NAME_SAFE `
-ErrorAction Ignore
}
function Add-User-Sql($database, $sql){
$server = "tcp:$((Get-SqlServer).FullyQualifiedDomainName),1433"
$adminName = $Env:SQLSERVER_ADMIN_USERNAME
$adminPassword = $Env:SQLSERVER_ADMIN_PASSWORD
$connectionString = "Server=$server;Database=$database;User ID=$adminName;Password=$adminPassword;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;"
#$connectionString = "Data Source=$server; Authentication=Active Directory Integrated; Initial Catalog=$database;";
$connection = New-Object -TypeName System.Data.SqlClient.SqlConnection($connectionString)
$command = New-Object -TypeName System.Data.SqlClient.SqlCommand($sql, $connection)
Write-Host "Add User [database=$database] on SqlServer [$Env:SQLSERVER_NAME_SAFE]"
Write-Host $sql
$connection.Open()
$command.ExecuteNonQuery()
$connection.Close()
}
清理脚本
Remove-AzResourceGroup `
-Name $Env:RESOURCEGROUP_NAME `
-Force
答案 0 :(得分:0)
也许我遗漏了一些东西,但是由于您的解释和AFAIK的最新错误(“未完成帐户名称和安全ID之间的映射”),您所遵循的流程是因为角色成员无效或陈旧某种方式。
关于您对将AppService身份自动验证到Sql数据库的方式的问题,请尝试this文档中提供的命令(如果尚未安装)。
与此主题相关的其他参考文献:
Use Azure SQL Database from App Service with Managed Identity (Without Code Changes)/
Securing Azure SQL Databases with managed identities just got easier
希望此信息对您有所帮助!!干杯!