使用 DevOps 二头肌模板部署的逻辑应用托管身份在发送到服务总线主题时出现错误

问题描述 投票:0回答:2

我正在创建一个具有托管身份的逻辑应用程序,以使用二头肌向服务总线发送消息。

我的 main.bicep 按顺序运行四个模块(使用 DependsOn)来执行以下操作。

  • 使用系统分配的身份设置服务总线并创建 目标主题。
  • 创建到命名空间端点的 API 连接
  • 使用系统分配的标识创建逻辑应用程序并引用服务总线 API 连接,将身份验证指定为托管身份。
  • 将服务总线发送方 RBAC 角色分配给主题。

当我在门户中查看部署时,一切看起来都正确。但是,我在尝试从我已授予访问权限的逻辑应用程序向该主题发送消息时遇到 401 错误。

“状态”:401, "message": "40100: 未经授权:对端点 'sb://[sb-name-redacted].servicebus.windows.net/[topic-name-redacted]' 上的“发送”操作进行未经授权的访问

通过逻辑应用设计器在部署后手动创建 API 连接会导致成功的消息传递,因此我显然做错了什么。

无法弄清楚问题出在哪里,这让我快疯了。

下面是正在运行的模块的代码。有人可以帮忙吗??

服务总线模块

//service bus
resource resource_servicebus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' = {
  name: servicebus
  location: location
  sku: {
    [removed for brevity]
  }
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    [removed for brevity]
  }
}


//topics
resource resource_topic_recurlywebhook 'Microsoft.ServiceBus/namespaces/topics@2022-01-01-preview' = {
  parent: resource_servicebus
  name: topic_[redacted]
  location: location
  properties: {
    [removed for brevity]
  }
}

API 连接模块

resource resource_connections_servicebus 'Microsoft.Web/connections@2018-07-01-preview' = {
  name: connections_servicebus
  location: location
  kind: 'V1'
  properties: {
    api: {
      id: connections_id_servicebus
    }
    displayName: connections_servicebus
    parameterValueSet: {
      name: 'managedIdentityAuth'
      values: {
        namespaceEndpoint:{
          value: 'sb://${servicebus}.servicebus.windows.net'
        }
      }
    }
  }
}

逻辑应用模块


//api connections

resource resource_connections_servicebus 'Microsoft.Web/connections@2018-07-01-preview' existing = {
  name: connections_servicebus
}


//logic apps
resource resource_lapp_ae_[redacted] 'Microsoft.Logic/workflows@2019-05-01' = {
  name: lapp_ae_[redacted]
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    state: 'Enabled'
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      contentVersion: '1.0.0.0'
      parameters: {
        '$connections': {
          defaultValue: {
          }
          type: 'Object'
        }
      }
      triggers: [removed for brevity]
      actions: {
        Response_200: [removed for brevity]
        Response_500: [removed for brevity]
        Send_message_to_[redacted]_topic: {
          runAfter: {
          }
          type: 'ApiConnection'
          inputs: {
            body: {
              ContentData: '@{base64(triggerBody())}'
              CorrelationId: '@{guid()}'
              Properties: '@triggerBody()'
            }
            host: {
              connection: {
                name: '@parameters(\'$connections\')[\'servicebus\'][\'connectionId\']'
              }
            }
            method: 'post'
            path: '/@{encodeURIComponent(encodeURIComponent(\'[redacted]\'))}/messages'
          }
        }
      }
      outputs: {
      }
    }
    parameters: {
      '$connections': {
        value: {
          servicebus: {
            connectionId: resource_connections_servicebus.id
            connectionName: resource_connections_servicebus.name
            connectionProperties: {
              authentication: {
                type: 'ManagedServiceIdentity'
              }
            }
            id: connections_id_servicebus
          }
        }
      }
    }
  }
}

///////////////////////////////// outputs ///////////////////////////////////////////////

output principalid_lapp_ae_rc_to_sb_connector string = resource_lapp_ae_rc_to_sb_connector.identity.principalId

服务总线角色分配模块

//define roles to assign
var rbac_service_bus_data_sender = '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39'


//define apps to send to topics
param topic_[redacted]_access_list array = [
  principalid_lapp_ae_[redacted]
]

//////////////////////////// call resources to grant access to ////////////////////////////////

resource resource_servicebus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' existing = {
   name: servicebus
}



resource resource_topic_[redacted] 'Microsoft.ServiceBus/namespaces/topics@2022-01-01-preview' existing = {
  parent: resource_servicebus
  name: topic_[redacted]
}


//////////////////////////// make role assignments ////////////////////////////////

resource resource_topic_[redacted]_access_list 'Microsoft.Authorization/roleAssignments@2022-04-01'  = [for principalID in topic_[redacted]_access_list: {
  scope: resource_topic_[redacted]
  name: guid(resource_topic_[redacted].id, principalID, rbac_service_bus_data_sender)
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', rbac_service_bus_data_sender)
    principalId: principalID
    principalType: 'ServicePrincipal'
  }
}]
azure azure-logic-apps azureservicebus azure-managed-identity azure-bicep
2个回答
0
投票

我已获悉,托管身份验证目前不适用于我已配置的逻辑应用程序(使用)。但它确实可以与逻辑应用程序(标准)一起使用。

0
投票

您可以使用服务总线连接器的托管身份,如文档

中所述

我在这里部署:

  • 一个服务总线命名空间、一个主题和一个订阅
  • 在服务总线级别具有 
    Azure Service Bus Data Sender
    角色的用户分配身份。
  • 用于逻辑应用程序的服务总线连接器
  • 一个简单的逻辑应用程序:

我有一个用于服务总线角色分配的模块:

// servicebus-role-assignment.bicep

param serviceBusName string
param principalId string
param principalType string = 'ServicePrincipal'
param roleId string

resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = {
  name: serviceBusName
}

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(serviceBus.id, roleId, principalId)
  scope: serviceBus
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
    principalId: principalId
    principalType: principalType
  }
}

还有一个主部署文件(为了简单起见添加了一些默认值):

// main.bicep

param location string = resourceGroup().location
param servicebusName string = 'logicappthomastestsb'
param servicebusconnectorName string = 'servicebus-connector'
param topicName string = 'thomastest-topic'
param topicsubName string = 'thomastest-subscription'
param identityName string = 'logicapp-thomastest-mi'
param logicAppName string = 'logicapp-thomastest'

// Create service bus
resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {
  name: servicebusName
  location: location
  tags: resourceGroup().tags
  properties: {
    zoneRedundant: false
    minimumTlsVersion: '1.2'
    disableLocalAuth: true
    publicNetworkAccess: 'Enabled'
  }
  sku: {
    name: 'Standard'
    tier: 'Standard'
  }
}

// Create topic
resource topic 'Microsoft.ServiceBus/namespaces/topics@2022-10-01-preview' = {
  parent: serviceBus
  name: topicName
}

// Create subscription
resource subscription 'Microsoft.ServiceBus/namespaces/topics/subscriptions@2022-10-01-preview' = {
  parent: topic
  name: topicsubName
}

// Create managed identity
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
  name: identityName
  location: location
}

// Assign role to managed identity
module roleAssignment 'servicebus-role-assignment.bicep' = {
  name: 'servicebus-logicapp-rbac'
  scope: resourceGroup()
  params: {
    serviceBusName: serviceBus.name
    principalId: identity.properties.principalId
    roleId: '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' // Azure Service Bus Data Sender
  }
}

// Create servicebus connection api
resource connectionApi 'Microsoft.Web/connections@2016-06-01' = {
  name: servicebusconnectorName
  location: location
  kind: 'V1'
  properties: {
    api: {
      id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'servicebus')
    }
    parameterValueSet: {
      name: 'managedIdentityAuth'
      values: {
        namespaceEndpoint: {
          value: 'sb://${serviceBus.name}.servicebus.windows.net/'
        }
      }
    }
  }
}

resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = {
  name: logicAppName
  location: location
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${identity.id}': {}
    }
  }
  properties: {
    state: 'Enabled'
    definition: {
      '$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
      contentVersion: '1.0.0.0'
      parameters: {
        '$connections': {
          defaultValue: {}
          type: 'Object'
        }
        topicName: {
          defaultValue: ''
          type: 'String'
        }
      }
      triggers: {
        When_a_HTTP_request_is_received: {
          inputs: {}
          kind: 'Http'
          type: 'Request'
        }
      }
      actions: {
        Send_message: {
          inputs: {
            body: {
              ContentData: '@{base64(\'Hello from logic app\')}'
            }
            host: {
              connection: {
                name: '@parameters(\'$connections\')[\'servicebus\'][\'connectionId\']'
              }
            }
            method: 'post'
            path: '/@{encodeURIComponent(encodeURIComponent(parameters(\'topicName\')))}/messages'
          }
          runAfter: {}
          type: 'ApiConnection'
        }
      }
      outputs: {}
    }
    parameters: {
      '$connections': {
        value: {
          servicebus: {
            connectionId: connectionApi.id
            connectionName: connectionApi.name
            connectionProperties: {
              authentication: {
                type: 'ManagedServiceIdentity'
                identity: identity.id
              }
            }
            id: connectionApi.properties.api.id
          }
        }
      }
      topicName: {
        value: topic.name
      }
    }
  }
}

我正在使用 Az CLI 进行部署:

az deployment group create --resource-group <resource-group-name> --template-file ./main.bicep

部署完成后:

我能够成功触发逻辑应用:

运行详情:

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.