验证系统分配给事件网格 API 连接的标识
Authenticate system assigned identity to Event Grid API connection
任何人都可以帮我在 ARM 模板中找到系统分配身份的客户端密码,或者建议替代方法吗?
我有一个 ARM 模板,它创建了一个具有系统分配标识的逻辑应用程序,现在我想设置一个 API 连接以从事件网格触发(不使用门户 UI 或单独的 powershell 命令)。
我不知道如何获取系统分配身份的客户端密码。这将使我能够遵循前面这些问题的答案:
这是我目前的情况:
"resources": [
{
"apiVersion": "2016-06-01",
"type": "Microsoft.logic/workflows",
"name": "[variables('logicName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[variables('connections_azuretables_name')]"
],
"properties": {
"state": "Enabled",
"definition": {
<<SNIP>>
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azureEventGridConnectionAPIName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/subscriptionId', '/providers/Microsoft.Web/locations/', 'eastasia', '/managedApis/', 'azureeventgrid')]"
},
"parameterValues": {
"token:clientId": "[reference(variables('logicName'), '2016-06-01', 'Full').identity.principalId]",
"token:clientSecret": "########### STUCK HERE #################",
"token:TenantId": "[reference(variables('logicName'), '2016-06-01', 'Full').identity.tenantId]",
"token:grantType": "client_credentials"
},
"displayName": "[variables('azureEventGridConnectionAPIName')]"
},
"dependsOn": []
}
],
托管身份没有客户端密码。它只有您无法访问的证书。
模板必须在逻辑应用程序中执行才能获取访问令牌,我怀疑它能否做到这一点。
对于任何想知道的人,手动创建服务主体然后将其输入 ARM 模板非常简单:
> az ad sp create-for-rbac --name MyPrincipal
{
"appId": "##############",
"displayName": "MyPrincipal",
"name": "http://MyPrincipal",
"password": "##############",
"tenant": "##############"
}
现在将appId(作为clientId)password(作为clientSecret)和tenant(作为tenantId)传递到parameterValues 块在 Microsoft.Web/connections 中。这将为您的逻辑应用设置事件网格 API 连接,但会影响访问策略和 ARM 模板之外的身份管理开销。
我使用的实际解决方案是在事件网格上创建一个 webhook 事件订阅,然后将我的逻辑应用程序设置为具有 web 挂钩触发器。这很好用。
这是一个示例解决方案:
{
"name": "[parameters('topicName')]",
"type": "Microsoft.EventGrid/topics",
"location": "[resourceGroup().location]",
"apiVersion": "2018-01-01",
"properties": { }
},
{
"name": "[concat(parameters('topicName'), '/Microsoft.EventGrid/', variables('topicSubscriptionName'))]",
"type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
"location": "[resourceGroup().location]",
"apiVersion": "2018-01-01",
"properties": {
"destination": {
"endpointType": "WebHook",
"properties": {
"endpointUrl": "[listCallbackURL(resourceId('Microsoft.Logic/workflows/triggers', parameters('logicName'), 'WorkaroundWebhookTrigger'), '2016-06-01').value]"
}
},
"filter": {
"includedEventTypes": [
"All"
]
}
},
"dependsOn": [
"[parameters('topicName')]",
"[parameters('logicName')]"
]
},
{
"apiVersion": "2016-06-01",
"type": "Microsoft.logic/workflows",
"name": "[parameters('logicName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"WorkaroundWebhookTrigger": {
"type": "Request",
"kind": "Http",
"inputs": {
"schema": {
"properties": {
"data": {
"properties": {
"lorem": {
"type": "integer"
},
"ipsum": {
"type": "string"
}
},
"type": "object"
},
"dataVersion": {
"type": "string"
},
"eventTime": {
"type": "string"
},
"eventType": {
"type": "string"
},
"id": {
"type": "string"
},
"metadataVersion": {
"type": "string"
},
"subject": {
"type": "string"
},
"topic": {
"type": "string"
}
},
"type": "object"
}
}
}
},
<snip>
任何人都可以帮我在 ARM 模板中找到系统分配身份的客户端密码,或者建议替代方法吗?
我有一个 ARM 模板,它创建了一个具有系统分配标识的逻辑应用程序,现在我想设置一个 API 连接以从事件网格触发(不使用门户 UI 或单独的 powershell 命令)。
我不知道如何获取系统分配身份的客户端密码。这将使我能够遵循前面这些问题的答案:
这是我目前的情况:
"resources": [
{
"apiVersion": "2016-06-01",
"type": "Microsoft.logic/workflows",
"name": "[variables('logicName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[variables('connections_azuretables_name')]"
],
"properties": {
"state": "Enabled",
"definition": {
<<SNIP>>
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azureEventGridConnectionAPIName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/subscriptionId', '/providers/Microsoft.Web/locations/', 'eastasia', '/managedApis/', 'azureeventgrid')]"
},
"parameterValues": {
"token:clientId": "[reference(variables('logicName'), '2016-06-01', 'Full').identity.principalId]",
"token:clientSecret": "########### STUCK HERE #################",
"token:TenantId": "[reference(variables('logicName'), '2016-06-01', 'Full').identity.tenantId]",
"token:grantType": "client_credentials"
},
"displayName": "[variables('azureEventGridConnectionAPIName')]"
},
"dependsOn": []
}
],
托管身份没有客户端密码。它只有您无法访问的证书。
模板必须在逻辑应用程序中执行才能获取访问令牌,我怀疑它能否做到这一点。
对于任何想知道的人,手动创建服务主体然后将其输入 ARM 模板非常简单:
> az ad sp create-for-rbac --name MyPrincipal
{
"appId": "##############",
"displayName": "MyPrincipal",
"name": "http://MyPrincipal",
"password": "##############",
"tenant": "##############"
}
现在将appId(作为clientId)password(作为clientSecret)和tenant(作为tenantId)传递到parameterValues 块在 Microsoft.Web/connections 中。这将为您的逻辑应用设置事件网格 API 连接,但会影响访问策略和 ARM 模板之外的身份管理开销。
我使用的实际解决方案是在事件网格上创建一个 webhook 事件订阅,然后将我的逻辑应用程序设置为具有 web 挂钩触发器。这很好用。
这是一个示例解决方案:
{
"name": "[parameters('topicName')]",
"type": "Microsoft.EventGrid/topics",
"location": "[resourceGroup().location]",
"apiVersion": "2018-01-01",
"properties": { }
},
{
"name": "[concat(parameters('topicName'), '/Microsoft.EventGrid/', variables('topicSubscriptionName'))]",
"type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
"location": "[resourceGroup().location]",
"apiVersion": "2018-01-01",
"properties": {
"destination": {
"endpointType": "WebHook",
"properties": {
"endpointUrl": "[listCallbackURL(resourceId('Microsoft.Logic/workflows/triggers', parameters('logicName'), 'WorkaroundWebhookTrigger'), '2016-06-01').value]"
}
},
"filter": {
"includedEventTypes": [
"All"
]
}
},
"dependsOn": [
"[parameters('topicName')]",
"[parameters('logicName')]"
]
},
{
"apiVersion": "2016-06-01",
"type": "Microsoft.logic/workflows",
"name": "[parameters('logicName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"WorkaroundWebhookTrigger": {
"type": "Request",
"kind": "Http",
"inputs": {
"schema": {
"properties": {
"data": {
"properties": {
"lorem": {
"type": "integer"
},
"ipsum": {
"type": "string"
}
},
"type": "object"
},
"dataVersion": {
"type": "string"
},
"eventTime": {
"type": "string"
},
"eventType": {
"type": "string"
},
"id": {
"type": "string"
},
"metadataVersion": {
"type": "string"
},
"subject": {
"type": "string"
},
"topic": {
"type": "string"
}
},
"type": "object"
}
}
}
},
<snip>