通过 bicep 使用托管身份的 Api 连接(keyvault、servicebus 和 blob)

问题描述 投票:0回答:2

您好,我正在尝试使用二头肌为 Key Vault、服务总线和存储帐户创建 API 连接。不幸的是没有看到微软方面的明确文档。

使用以下代码创建了 API 连接(Azure Key Vault、服务总线和存储帐户),部署成功,但连接进入错误状态。

    resource ServicebusApiCon 'Microsoft.Web/connections@2016-06-01' = {
    name: 'servicebus'
    location: Location
    kind: 'V2'
    properties: {
      displayName: 'servicebus'     
   
      api: {
       name: 'servicebus'
      description: 'Connect to Azure Serice Bus to send and receive messages'
      id:  '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Web/
            locations/${Location}/managedApis/servicebus'
      type: 'Microsoft.Web/locations/managedApis'
        }

       }
       }

       resource keyvaultApiCon 'Microsoft.Web/connections@2016-06-01' = {
         name: 'keyvault'
         location: Location
         kind: 'V2'
         properties: {
           displayName: 'keyvault'    

           api:{
            id: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Web/
                 locations/${Location}/managedApis/keyvault'
            displayName: ' Azure key vault'
            type: 'Microsoft.Web/locations/managedApis'
  
            }

           }
          }
          resource blobApiConnection 'Microsoft.Web/connections@2016-06-01' = {
          name: 'azureblob'
          location: Location
          kind: 'V2'
          properties: {
            displayName: 'azureblob'    
            api: {
              name: 'azureblob'
              displayName: 'Azure Blob storage'
              id: '/subscriptions/${subscription().subscriptionId}/providers
                   /Microsoft.Web/locations/${Location}/managedApis/azureblob'
                 }
                }
               }

如果我做错了什么或遗漏了什么,你可以建议我吗

azure azure-resource-manager azure-managed-identity azure-bicep azure-logic-app-standard
2个回答
3
投票

说实话,这些连接 api 根本没有记录...... 最好的办法是从 Azure 门户创建它们,并打开网络选项卡,以便您可以查看发送的请求:

从那里我能够为

创建连接

  • 密钥库:

    param logicAppName string

param location string = resourceGroup().location
param keyVaultName string
param name string = 'keyvault'

// Get a reference to the existing logic app
resource logicApp 'Microsoft.Web/sites@2021-03-01' existing = {
  name: logicAppName
}

resource keyvaultConnector 'Microsoft.Web/connections@2018-07-01-preview' = {
  name: name
  location: location
  kind: 'V2'
  properties: {
    displayName: name
    parameterValueType: 'Alternative'
    alternativeParameterValues: {
      vaultName: keyVaultName
    }
    api: {
      id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'keyvault')
      type: 'Microsoft.Web/locations/managedApis'
    }
  }
}

// Grant permission to the logic app standard to access the connection api
resource keyvaultConnectorAccessPolicy 'Microsoft.Web/connections/accessPolicies@2018-07-01-preview' = {
  name: logicAppName
  parent: keyvaultConnector
  location: location
  properties: {
    principal: {
      type: 'ActiveDirectory'
      identity: {
        tenantId: subscription().tenantId
        objectId: logicApp.identity.principalId
      }
    }
  }
}

output connectionRuntimeUrl string = keyvaultConnector.properties.connectionRuntimeUrl

  • 服务巴士:

      param logicAppName string

param location string = resourceGroup().location
param servicebusName string
param name string = 'servicebus'

// Get a reference to the existing logic app
resource logicApp 'Microsoft.Web/sites@2021-03-01' existing = {
  name: logicAppName
}

resource servicebusConnector 'Microsoft.Web/connections@2018-07-01-preview' = {
  name: name
  location: location
  kind: 'V2'
  properties: {
    api: {
      id: subscriptionResourceId('Microsoft.Web/locations/managedApis', location, 'servicebus')
    }
    displayName: name
    parameterValueSet: {
      name: 'managedIdentityAuth'
      values: {
        namespaceEndpoint: {
          value: 'sb://${servicebusName}.servicebus.windows.net/'
        }
      }
    }
  }
}

// Grant permission to the logic app standard to access the connection api
resource servicebusConnectorAccessPolicy 'Microsoft.Web/connections/accessPolicies@2018-07-01-preview' = {
  name: logicAppName
  parent: servicebusConnector
  location: location
  properties: {
    principal: {
      type: 'ActiveDirectory'
      identity: {
        tenantId: subscription().tenantId
        objectId: logicApp.identity.principalId
      }
    }
  }
}

output connectionRuntimeUrl string = servicebusConnector.properties.connectionRuntimeUrl

您仍然需要向托管标识授予访问密钥保管库或服务总线的权限。

您还需要更新 

connectionRuntimeUrl
,因此可能为此创建一个应用程序设置,以便更容易更新:

0
投票

我已按照上述服务总线管理连接器的说明进行操作。但我仍然需要从设计师那里手动进行授权。不知道我错过了什么。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.