我有一个函数应用程序,其函数可将消息发送到事件网格。此同一函数应用程序中的函数订阅了此事件网格主题。尽管函数应用程序已为事件网格发送设置了基于角色的访问权限,但我仍获得未经授权的访问权限来发送消息。
我已将功能应用程序身份设置为系统分配开启:
我还在订阅级别将函数应用程序分配的角色设置为事件网格发送者(事件网格主题也位于其中):
分配的事件网格发送者角色在事件网格主题的 IAM 角色分配中确认:
当我执行函数应用程序将数据发送到事件网格时,出现未经授权的错误:
//Name of the endpoint of Event grid topic
string topicEndpoint = transformAlgoSendRMessage_TopicEP;
//Creating client to publish events to eventgrid topic
EventGridPublisherClient client = new EventGridPublisherClient(new Uri(topicEndpoint), new DefaultAzureCredential());
//Creating a sample event with Subject, Eventtype, dataVersion and data
EventGridEvent egEvent = new EventGridEvent("TransformTelemetry", "TransformAlgorithm.broadcastTransform", "1.0", machinePartTransformTelemetry);
// Send the event
try
{
await client.SendEventAsync(egEvent);
if (b_debug_contractor)
log.LogInformation("SendRTransformMessage sent transformdata - PosX:" + machinePartTransformTelemetry[1]);
}
catch (Exception e)
{
log.LogError("Failed to send SendRTransformMessage. " + e.Message);
}
未经授权的错误:
[2022-11-25T08:00:45.646Z] Failed to send SendRTransformMessage. The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/MySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/functionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.
[2022-11-25T08:00:45.646Z] Status: 401 (The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.)
[2022-11-25T08:00:45.647Z] ErrorCode: Unauthorized
[2022-11-25T08:00:45.647Z]
[2022-11-25T08:00:45.647Z] Content:
[2022-11-25T08:00:45.648Z] {
[2022-11-25T08:00:45.648Z] "error": {
[2022-11-25T08:00:45.649Z] "code": "Unauthorized",
[2022-11-25T08:00:45.649Z] "message": "The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket.",
[2022-11-25T08:00:45.650Z] "details": [{
[2022-11-25T08:00:45.650Z] "code": "Unauthorized",
[2022-11-25T08:00:45.650Z] "message": "The principal associated with access token presented with the incoming request does not have permission to send data to /subscriptions/mySubscriptionID/resourceGroups/myresourcegroup/providers/Microsoft.EventGrid/topics/myfunctionappname. Report 'e9595a36-8420-4466-b91a-801fbfcf605d:4:11/25/2022 8:00:48 AM (UTC)' to our forums for assistance or raise a support ticket."
我注意到我tried with key credentials but the Azure would not recognize the key。
最佳答案
我尝试在我的环境中重现相同的结果,并得到以下结果
我创建了一个功能应用并启用了系统分配的身份,如下所示:
将角色分配添加到事件网格,如下所示:转到 Azure 门户 -> 事件网格主题 -> 您的主题 -> 访问控制 (IAM)
如果您选择服务主体而不是“类型”为应用的托管身份,则可能会出现401 Unauthorized错误强>而不是函数应用,同时分配如下角色:
要解决错误,请确保选择托管身份作为 Function App,同时将角色分配给事件网格,如下所示:
选择审核+分配来分配角色,如下所示:
角色EventGrid Data Sender已成功分配给事件网格,如下所示:
这也会自动反射(reflect)在函数应用中,无需单独将此角色分配给函数应用身份。
要确认这一点,转到 Azure 门户 -> 您的函数应用 -> 身份 -> Azure 角色分配
现在重新启动函数应用并再次执行该函数。如果问题仍然仍然存在,请提出支持请求。
引用: Send Events To Event Grid Topic Using Managed Service Identity by Rittik Basu
关于azure - 使用事件网格发送的基于角色的访问从函数应用程序到事件网格发送未经授权的错误消息,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/74569974/