使用服务主体验证Azure函数应用程序的正确方法是什么?
使用服务主体验证Azure函数应用程序的正确方法是什么?
提问于 2020-02-27 21:15:42
我有一些代码,我想自动使用Azure函数应用程序。代码是用于云治理目的的,仅供治理团队在内部使用。代码的目的是检索有关公共IP地址的信息并将其写入blob。它每天都会自动完成这个任务。
我希望使用专用的云治理服务主体来执行操作,而不是用户帐户。如何对函数的服务主体进行身份验证?我需要使用密钥库并在代码中进行身份验证吗?如果是这样的话,我如何授予函数使用密钥库的权限?
回答 1
Stack Overflow用户
回答已采纳
发布于 2020-02-28 06:13:46
高级别的步骤是:
- 创建AAD应用程序(服务主体)。
- Create a Key Vault
- 在Key Vault(见下面的CreateKVSPNCertificate.ps1 )
- 中创建一个证书,将该证书添加到AAD应用程序(见下面的CreateKVSPNCertificate.ps1 )
- 为Azure函数应用创建托管标识(
< code >H 111),在函数代码中赋予函数应用程序的托管身份获取机密权限(在密钥库H 212H 113,请使用AzureServiceTokenProvider与到KeyVault的连接字符串从步骤1对函数代码进行身份验证。(见GetAuthCredsFromKeyVault下面)H 214/code>
CreateKVSPNCertificate.ps1
# This script will have Key Vault create a certificate and associate the certificate with an Azure AD Application.
# This allows applications to get the private key (secret) from Key Vault to authenticate as the service principal associated with the Azure AD app.
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[String]$keyVaultName,
[Parameter(Mandatory = $true)]
[String]$appId,
[Parameter()]
[int]$validityInMonths = 12
)
# Key Vault will create a certificate, returning the cert from this function so the public key can be added to the AAD Application
function New-KeyVaultSelfSignedCert {
param($keyVault, $certificateName, $subjectName, $validityInMonths, $renewDaysBefore)
# Define the configuration for how the certificate will be created
$policy = New-AzKeyVaultCertificatePolicy `
-SubjectName $subjectName `
-ReuseKeyOnRenewal `
-IssuerName 'Self' `
-ValidityInMonths $validityInMonths `
-RenewAtNumberOfDaysBeforeExpiry $renewDaysBefore
# Have Key Vault create the certificate. This returns an operation status that needs to be waited on until it is complete
$op = Add-AzKeyVaultCertificate `
-VaultName $keyVault `
-CertificatePolicy $policy `
-Name $certificateName
if ($op -eq $null)
{
# Certificate may have been soft-deleted which means the name is still reserved.
if ((Get-AzKeyVaultCertificate -VaultName $keyvault -InRemovedState).Count -gt 0)
{
# Purge the soft deleted key and try adding the new one again
# If the Purge fails with "Operation returned an invalid status code 'Forbidden'", then make sure your account explicitly has the Purge feature enabled in the Key Vault Access Policies (this access is not automatically granted)
Write-Host "Previous certificate with same name $certificateName was in soft-delete state. Attempting to Purge previous certificate and create new one. Purge may take some time, in case of failure retry after a couple minutes."
Remove-AzKeyVaultCertificate -VaultName $keyVault -Name $certificateName -InRemovedState -Force
Start-Sleep -Seconds 15
$op = Add-AzKeyVaultCertificate `
-VaultName $keyVault `
-CertificatePolicy $policy `
-Name $certificateName
}
}
while ( $op.Status -eq 'inProgress' )
{
Start-Sleep -Seconds 1
$op = Get-AzKeyVaultCertificateOperation -VaultName $keyVault -Name $certificateName
}
if ($op.Status -ne 'completed')
{
Write-Error "Add-AzKeyVaultCertificate failed to complete"
Write-Error $op
return $null
}
# Get the certificate that was just created and return it. This gets the public cert, not the private cert
(Get-AzKeyVaultCertificate -VaultName $keyVault -Name $certificateName).Certificate
}
# Get the Azure AD Application in order to get the display name
$existingApp = Get-AzADApplication -ApplicationId $appId
$appName = $existingApp.DisplayName
if ($existingApp = $null)
{
Write-Error "Couldn't find existing AAD Application $appId"
break
}
# Have Key Vault create a certificate
$certName = "SPCert-" + $appName
$cert = New-KeyVaultSelfSignedCert -keyVault $keyVaultName `
-certificateName $certName `
-subjectName "CN=$appName" `
-validityInMonths $validityInMonths `
-renewDaysBefore 1
if ($cert -eq $null) { break }
Write-Output ""
Write-Output "Certificate generated with:"
Write-Output " Thumbprint = $($cert.Thumbprint)"
Write-Output " Secret Name = $certName"
$certString = [Convert]::ToBase64String($cert.GetRawCertData())
# Associate the public key with the Azure AD Application
New-AzADAppCredential -ApplicationId $appId -CertValue $certString -EndDate $cert.NotAfter.AddDays(-1)在函数代码中,使用密钥库证书进行身份验证。
private AzureCredentials GetAuthCredsFromKeyVault()
{
string AuthVaultName = System.Environment.GetEnvironmentVariable("AuthVaultName");
string AuthAppId = System.Environment.GetEnvironmentVariable("AuthAppId");
string AuthSecretName = System.Environment.GetEnvironmentVariable("AuthSecretName");
string connectionString = string.Format("RunAs = App; AppId = {0}; KeyVaultCertificateSecretIdentifier = https://{1}.vault.azure.net/secrets/{2}", AuthAppId, AuthVaultName, AuthSecretName);
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(connectionString);
string accessTokenARM = azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com").Result;
string accessTokenGraph = azureServiceTokenProvider.GetAccessTokenAsync("https://graph.windows.net").Result;
AzureCredentials creds = new AzureCredentials(new TokenCredentials(accessTokenARM), new TokenCredentials(accessTokenGraph), Constants.TenantId, AzureEnvironment.AzureGlobalCloud);
return creds;
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/60441870
复制相关文章
相似问题
腾讯云开发者
