我正在创建一个具有托管身份的逻辑应用程序,以使用二头肌向服务总线发送消息。
我的 main.bicep 按顺序运行四个模块(使用 DependsOn)来执行以下操作。
当我在门户中查看部署时,一切看起来都正确。但是,我在尝试从我已授予访问权限的逻辑应用程序向该主题发送消息时遇到 401 错误。
“状态”:401, "message": "40100: 未经授权:对端点 'sb://[sb-name-redacted].servicebus.windows.net/[topic-name-redacted]' 上的“发送”操作进行未经授权的访问
通过逻辑应用设计器在部署后手动创建 API 连接会导致成功的消息传递,因此我显然做错了什么。
无法弄清楚问题出在哪里,这让我快疯了。
下面是正在运行的模块的代码。有人可以帮忙吗??
服务总线模块
//service bus
resource resource_servicebus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' = {
name: servicebus
location: location
sku: {
[removed for brevity]
}
identity: {
type: 'SystemAssigned'
}
properties: {
[removed for brevity]
}
}
//topics
resource resource_topic_recurlywebhook 'Microsoft.ServiceBus/namespaces/topics@2022-01-01-preview' = {
parent: resource_servicebus
name: topic_[redacted]
location: location
properties: {
[removed for brevity]
}
}
API 连接模块
resource resource_connections_servicebus 'Microsoft.Web/connections@2018-07-01-preview' = {
name: connections_servicebus
location: location
kind: 'V1'
properties: {
api: {
id: connections_id_servicebus
}
displayName: connections_servicebus
parameterValueSet: {
name: 'managedIdentityAuth'
values: {
namespaceEndpoint:{
value: 'sb://${servicebus}.servicebus.windows.net'
}
}
}
}
}
逻辑应用模块
//api connections
resource resource_connections_servicebus 'Microsoft.Web/connections@2018-07-01-preview' existing = {
name: connections_servicebus
}
//logic apps
resource resource_lapp_ae_[redacted] 'Microsoft.Logic/workflows@2019-05-01' = {
name: lapp_ae_[redacted]
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
state: 'Enabled'
definition: {
'$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
contentVersion: '1.0.0.0'
parameters: {
'$connections': {
defaultValue: {
}
type: 'Object'
}
}
triggers: [removed for brevity]
actions: {
Response_200: [removed for brevity]
Response_500: [removed for brevity]
Send_message_to_[redacted]_topic: {
runAfter: {
}
type: 'ApiConnection'
inputs: {
body: {
ContentData: '@{base64(triggerBody())}'
CorrelationId: '@{guid()}'
Properties: '@triggerBody()'
}
host: {
connection: {
name: '@parameters(\'$connections\')[\'servicebus\'][\'connectionId\']'
}
}
method: 'post'
path: '/@{encodeURIComponent(encodeURIComponent(\'[redacted]\'))}/messages'
}
}
}
outputs: {
}
}
parameters: {
'$connections': {
value: {
servicebus: {
connectionId: resource_connections_servicebus.id
connectionName: resource_connections_servicebus.name
connectionProperties: {
authentication: {
type: 'ManagedServiceIdentity'
}
}
id: connections_id_servicebus
}
}
}
}
}
}
///////////////////////////////// outputs ///////////////////////////////////////////////
output principalid_lapp_ae_rc_to_sb_connector string = resource_lapp_ae_rc_to_sb_connector.identity.principalId
服务总线角色分配模块
//define roles to assign
var rbac_service_bus_data_sender = '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39'
//define apps to send to topics
param topic_[redacted]_access_list array = [
principalid_lapp_ae_[redacted]
]
//////////////////////////// call resources to grant access to ////////////////////////////////
resource resource_servicebus 'Microsoft.ServiceBus/namespaces@2022-01-01-preview' existing = {
name: servicebus
}
resource resource_topic_[redacted] 'Microsoft.ServiceBus/namespaces/topics@2022-01-01-preview' existing = {
parent: resource_servicebus
name: topic_[redacted]
}
//////////////////////////// make role assignments ////////////////////////////////
resource resource_topic_[redacted]_access_list 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalID in topic_[redacted]_access_list: {
scope: resource_topic_[redacted]
name: guid(resource_topic_[redacted].id, principalID, rbac_service_bus_data_sender)
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', rbac_service_bus_data_sender)
principalId: principalID
principalType: 'ServicePrincipal'
}
}]
我已获悉,托管身份验证目前不适用于我已配置的逻辑应用程序(使用)。但它确实可以与逻辑应用程序(标准)一起使用。
您可以使用服务总线连接器的托管身份,如文档
中所述我在这里部署:
Azure Service Bus Data Sender
角色的用户分配身份。我有一个用于服务总线角色分配的模块:
// servicebus-role-assignment.bicep
param serviceBusName string
param principalId string
param principalType string = 'ServicePrincipal'
param roleId string
resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' existing = {
name: serviceBusName
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(serviceBus.id, roleId, principalId)
scope: serviceBus
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
principalId: principalId
principalType: principalType
}
}
还有一个主部署文件(为了简单起见添加了一些默认值):
// main.bicep
param location string = resourceGroup().location
param servicebusName string = 'logicappthomastestsb'
param servicebusconnectorName string = 'servicebus-connector'
param topicName string = 'thomastest-topic'
param topicsubName string = 'thomastest-subscription'
param identityName string = 'logicapp-thomastest-mi'
param logicAppName string = 'logicapp-thomastest'
// Create service bus
resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = {
name: servicebusName
location: location
tags: resourceGroup().tags
properties: {
zoneRedundant: false
minimumTlsVersion: '1.2'
disableLocalAuth: true
publicNetworkAccess: 'Enabled'
}
sku: {
name: 'Standard'
tier: 'Standard'
}
}
// Create topic
resource topic 'Microsoft.ServiceBus/namespaces/topics@2022-10-01-preview' = {
parent: serviceBus
name: topicName
}
// Create subscription
resource subscription 'Microsoft.ServiceBus/namespaces/topics/subscriptions@2022-10-01-preview' = {
parent: topic
name: topicsubName
}
// Create managed identity
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
name: identityName
location: location
}
// Assign role to managed identity
module roleAssignment 'servicebus-role-assignment.bicep' = {
name: 'servicebus-logicapp-rbac'
scope: resourceGroup()
params: {
serviceBusName: serviceBus.name
principalId: identity.properties.principalId
roleId: '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' // Azure Service Bus Data Sender
}
}
// Create servicebus connection api
resource connectionApi 'Microsoft.Web/connections@2016-06-01' = {
name: servicebusconnectorName
location: location
kind: 'V1'
properties: {
api: {
id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'servicebus')
}
parameterValueSet: {
name: 'managedIdentityAuth'
values: {
namespaceEndpoint: {
value: 'sb://${serviceBus.name}.servicebus.windows.net/'
}
}
}
}
}
resource logicApp 'Microsoft.Logic/workflows@2019-05-01' = {
name: logicAppName
location: location
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
state: 'Enabled'
definition: {
'$schema': 'https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#'
contentVersion: '1.0.0.0'
parameters: {
'$connections': {
defaultValue: {}
type: 'Object'
}
topicName: {
defaultValue: ''
type: 'String'
}
}
triggers: {
When_a_HTTP_request_is_received: {
inputs: {}
kind: 'Http'
type: 'Request'
}
}
actions: {
Send_message: {
inputs: {
body: {
ContentData: '@{base64(\'Hello from logic app\')}'
}
host: {
connection: {
name: '@parameters(\'$connections\')[\'servicebus\'][\'connectionId\']'
}
}
method: 'post'
path: '/@{encodeURIComponent(encodeURIComponent(parameters(\'topicName\')))}/messages'
}
runAfter: {}
type: 'ApiConnection'
}
}
outputs: {}
}
parameters: {
'$connections': {
value: {
servicebus: {
connectionId: connectionApi.id
connectionName: connectionApi.name
connectionProperties: {
authentication: {
type: 'ManagedServiceIdentity'
identity: identity.id
}
}
id: connectionApi.properties.api.id
}
}
}
topicName: {
value: topic.name
}
}
}
}
我正在使用 Az CLI 进行部署:
az deployment group create --resource-group <resource-group-name> --template-file ./main.bicep