Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
632 views
in Technique[技术] by (71.8m points)

authentication - Authorising Azure Function App Http endpoint from Data Factory

We are currently developing a ETL solution in Azure Data Factory that requires calling out to an Azure Function App HTTP trigger. Out Data Factory instance has a Managed Identity configured and I was wondering how I can secure the Azure Function App to only allow access from the Data Factroy Managed Identity?

I have previously used Azure Function Apps System Assigned Managed Identities to access other resources (Key Vault) so I understand the basic concepts but I am struggling to understand if using System Assigned Managed Identities as a authorisation and authentication mechanism on Azure Function Apps is possible.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Yes, you can, please follow the steps below.

1.Navigate to your function app in the portal -> Authentication / Authorization -> configure it with Azure AD auth, follow this doc. Note: In Express, we select Create New AD App, it will reduce unnecessary trouble.

After configuration, it will be like below.

enter image description here

2.After a while, navigate to Azure Active Directory in the portal -> App registrations -> search for your function app name with the filter All applications -> click it -> App roles | Preview -> Create app role -> create the role like below -> Apply.

enter image description here

Navigate to Overview -> click Managed application in local directory.

enter image description here

In the Properties -> set User assignment required? to Yes.

enter image description here

3.Use the powershell below to give the app role to your MSI(managed identity), replace the <datafactory-name> and <functionapp-name>.

Make sure you have installed the AzureAD powershell module and have enough permission to assign the app role.

Connect-AzureAD
$MSI = Get-AzureADServicePrincipal -Filter "displayName eq '<datafactory-name>'"
$funapp = Get-AzureADServicePrincipal -Filter "displayName eq '<functionapp-name>'"
$PermissionName = "Function.Test"
$approle = $funapp.AppRoles | Where-Object {$_.Value -eq $PermissionName}
New-AzureADServiceAppRoleAssignment -ObjectId $MSI.ObjectId -PrincipalId $MSI.ObjectId -ResourceId $funapp.ObjectId -Id $approle.Id

enter image description here

4.Navigate to the httptrigger in your function app, set the Authorization level to Anonymous, because we have configured AAD auth.

enter image description here

5.Then in your ADF, create a web activity to test, use the settings like below.

URL - https://<functionapp-name>.azurewebsites.net/api/HttpTrigger1

Resource - https://<functionapp-name>.azurewebsites.net

enter image description here

Run it, it will work fine.

enter image description here

In this solution, we secure the function with the app role, if you don't give the role to your MSI i.e. step 3, the MSI will not be able to access the function, in another word, if you just give the role only to your MSI, only your MSI will be able to access the function.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...