授予 Azure Functions 对 ARM REST 的访问权限 API

Grant Azure Function access to ARM REST API

今年早些时候,我创建了一个 Azure Function,它使用 Azure REST API 以编程方式复制数据库。这行得通,但由于某种原因现在已停止工作。

为了进行身份验证,Azure 函数中的代码获取一个身份验证令牌...

var azureServiceTokenProvider = new AzureServiceTokenProvider();
var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/");
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

我们在 Azure 门户中还做了一些其他事情来授予 Azure Functions 执行此操作的权限。我记得从下拉列表中选择了 Azure 函数本身(我 认为 Access Control (IAM) 面板之一中)。不幸的是,我不记得我做了什么。

这突然停止工作,Azure Functions 失败说...

Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried the following 4 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "D:\local\LocalAppData\.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
operable program or batch file.

Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. get_user_name_failed: Failed to get user name
Inner Exception : The format of the specified domain name is invalid

调用堆栈显示我上面的代码片段中的 AzureServiceTokenProvider.GetAccessTokenAsync() 出错。

我没有更改任何代码,但团队中的其他人可能已经在 Azure 中重新创建了一些东西 - 导致我们在门户(如上所述)中所做的任何事情都需要重做。

我也找不到我这样做时最初会关注的文章。无论我去哪个 IAM 面板(无论是订阅本身,还是 sql 服务器实例),我都可以选择 Assign assess to Function App,但它总是显示 No Function App in this resource group can be assigned access..

知道我遗漏了什么吗?如何授予 Function App 向数据库管理发出资源管理器 REST 请求的权限?

根据您的描述,Azure Function MSI 似乎关闭了。您可以尝试使用 Azure 函数平台功能打开 MSI 函数。

如果我们要操作Azure数据库,正如您提到的,我们需要为Azure数据库服务器设置IAM,以允许azure函数操作数据库资源。

如果MSI在Azure函数上,我们可以在下拉列表中找到Azure函数。

我也做了一个演示。我测试list databases by server API。它在我这边工作正常。