具有托管标识的事件网格 API 连接的 ARM 模板

时间:2021-01-27 09:11:30

标签: azure azure-logic-apps azure-resource-manager azure-eventgrid

从逻辑应用创建新的事件网格连接时,可以从以下 3 种连接身份验证方法中进行选择:

  1. 登录
  2. 服务主体
  3. 管理身份

#1 登录要求用户以交互方式登录/验证。

#2 Service principal 需要提供 TenantClient IDClient Secret 值。< /p>

很明显,需要如何修改用于此类 API 连接的 ARM 模板:需要按如下方式添加 parameterValues

"parameterValues": {
  "token:clientId": "[parameters('ConnectionClientId')]",
  "token:clientSecret": "[parameters('ConnectionClientSecret')]",
  "token:TenantId": "[parameters('ConnectionTenantId')]",
  "token:resourceUri": "https://management.core.windows.net/",
  "token:grantType": "client_credentials"
}

#3 托管身份 只需要选择托管身份。虽然很清楚如何以交互方式创建这样的 API 连接,但我找不到关于这种身份验证方法的 ARM 模板格式的任何信息。

所以问题是 - 具有托管标识的用于事件网格连接的 ARM 模板应该是什么样的?使创建的 API 连接如下所示:

API Connection with managed identity

2 个答案:

答案 0 :(得分:1)

目前答案似乎是,因为这仍处于预览阶段 (afaik)

要使用 ARM 模板创建托管 Identity api 连接,您需要包含 "parameterValueType": "Alternative"

"properties": {
  "displayName": "ARM API connection",
  "customParameterValues": {},
  "parameterValueType": "Alternative",
  "api": {
    "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/arm')]"
  }
}

我没有找到有关此属性的文档。我发现的唯一原因是查看我使用门户创建的 api 连接的原始 json(json 视图)。

答案 1 :(得分:0)

如果要创建具有托管标识的事件网格 API 连接,请参考以下步骤

  1. 在 Azure 逻辑应用中启用系统分配的标识
{
   "apiVersion": "2016-06-01",
   "type": "Microsoft.logic/workflows",
   "name": "[variables('logicappName')]",
   "location": "[resourceGroup().location]",
   "identity": {
      "type": "SystemAssigned"
   },
   "properties": {
      "definition": {
         "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
         "actions": {},
         "parameters": {},
         "triggers": {},
         "contentVersion": "1.0.0.0",
         "outputs": {}
   },
   "parameters": {},
   "dependsOn": []
}
  1. 授予对资源的身份访问权限
{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "resources": [
        {
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2018-09-01-preview",
            "name": "[guid(resourceGroup().id)]",
            "properties": {
                "roleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
                "principalId": "[reference(resourceId('Microsoft.Logic/workflows','<logic app name>'),'2016-06-01','Full').identity.principalId]"
            }
        }
    ]
}
  1. 创建连接
{
            "type": "Microsoft.Web/connections",
            "apiVersion": "2016-06-01",
            "name": "",
            "location": "",
            "kind": "V1",
            "properties": {
                "displayName": "test",
                "customParameterValues": {},
                "api": {
                    "id": "/subscriptions/<>/providers/Microsoft.Web/locations/<>/managedApis/azureeventgrid"
                }
            }
        }
  1. 创建触发器
{
    "definition": {
        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json",
        "actions": {},
        "contentVersion": "1.0.0.0",
        "outputs": {},
        "parameters": {
            "$connections": {
                "defaultValue": {},
                "type": "Object"
            }
        },
        "triggers": {
            "When_a_resource_event_occurs": {
                "inputs": {
                    "body": {
                        "properties": {
                            "destination": {
                                "endpointType": "webhook",
                                "properties": {
                                    "endpointUrl": "@{listCallbackUrl()}"
                                }
                            },
                            "topic": ""
                        }
                    },
                    "host": {
                        "connection": {
                            "name": "@parameters('$connections')['azureeventgrid']['connectionId']"
                        }
                    },
                    "path": "/subscriptions/{Azure-subscription-ID}/providers/{}/resource/eventSubscriptions",
                    "queries": {
                        "x-ms-api-version": "2017-09-15-preview"
                    }
                },
                "splitOn": "@triggerBody()",
                "type": "ApiConnectionWebhook"
            }
        }
    },
    "parameters": {
        "$connections": {
            "value": {
                "azureeventgrid": {
                    "connectionId": "/subscriptions/{Azure-subscription-ID}/resourceGroups/{resourcegroup}/providers/Microsoft.Web/connections/{connection-name}",
                    "connectionName": "{connection-name}",
                    "connectionProperties": {
                        "authentication": {
                            "type": "ManagedServiceIdentity"
                        }
                    },
                    "id": "/subscriptions/{Azure-subscription-ID}/providers/Microsoft.Web/locations/{Azure-region}/managedApis/azureeventgrid"
                }
            }
        }
    }

详情请参考

https://docs.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity

相关问题
最新问题