问题描述
从逻辑应用创建新的事件网格连接时,可以从以下 3 种连接身份验证方法中进行选择:
- 登录
- 服务主体
- 管理身份
#1 登录要求用户以交互方式登录/验证。
#2 Service principal 需要提供 Tenant、Client ID 和 Client Secret 值。
很明显,需要如何修改用于此类 API 连接的 ARM 模板:需要按如下方式添加 parameterValues
。
"parameterValues": {
"token:clientId": "[parameters('ConnectionClientId')]","token:clientSecret": "[parameters('ConnectionClientSecret')]","token:TenantId": "[parameters('ConnectionTenantId')]","token:resourceUri": "https://management.core.windows.net/","token:grantType": "client_credentials"
}
#3 托管身份 只需要选择托管身份。虽然很清楚如何以交互方式创建这样的 API 连接,但我找不到关于这种身份验证方法的 ARM 模板格式的任何信息。
所以问题是 - 具有托管标识的用于事件网格连接的 ARM 模板应该是什么样的?使创建的 API 连接如下所示:
解决方法
目前答案似乎是,因为这仍处于预览阶段 (afaik)
要使用 ARM 模板创建托管 Identity api 连接,您需要包含 "parameterValueType": "Alternative"
"properties": {
"displayName": "ARM API connection","customParameterValues": {},"parameterValueType": "Alternative","api": {
"id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/arm')]"
}
}
我没有找到有关此属性的文档。我发现的唯一原因是查看我使用门户创建的 api 连接的原始 json(json 视图)。
,如果要创建具有托管标识的事件网格 API 连接,请参考以下步骤
- 在 Azure 逻辑应用中启用系统分配的标识
{
"apiVersion": "2016-06-01","type": "Microsoft.logic/workflows","name": "[variables('logicappName')]","location": "[resourceGroup().location]","identity": {
"type": "SystemAssigned"
},"properties": {
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#","actions": {},"parameters": {},"triggers": {},"contentVersion": "1.0.0.0","outputs": {}
},"dependsOn": []
}
- 授予对资源的身份访问权限
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","resources": [
{
"type": "Microsoft.Authorization/roleAssignments","apiVersion": "2018-09-01-preview","name": "[guid(resourceGroup().id)]","properties": {
"roleDefinitionId": "[concat('/subscriptions/','/providers/Microsoft.Authorization/roleDefinitions/','b24988ac-6180-42a0-ab88-20f7382dd24c')]","principalId": "[reference(resourceId('Microsoft.Logic/workflows','<logic app name>'),'2016-06-01','Full').identity.principalId]"
}
}
]
}
- 创建连接
{
"type": "Microsoft.Web/connections","apiVersion": "2016-06-01","name": "","location": "","kind": "V1","properties": {
"displayName": "test","api": {
"id": "/subscriptions/<>/providers/Microsoft.Web/locations/<>/managedApis/azureeventgrid"
}
}
}
- 创建触发器
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json","outputs": {},"parameters": {
"$connections": {
"defaultValue": {},"type": "Object"
}
},"triggers": {
"When_a_resource_event_occurs": {
"inputs": {
"body": {
"properties": {
"destination": {
"endpointType": "webhook","properties": {
"endpointUrl": "@{listCallbackUrl()}"
}
},"topic": ""
}
},"host": {
"connection": {
"name": "@parameters('$connections')['azureeventgrid']['connectionId']"
}
},"path": "/subscriptions/{Azure-subscription-ID}/providers/{}/resource/eventSubscriptions","queries": {
"x-ms-api-version": "2017-09-15-preview"
}
},"splitOn": "@triggerBody()","type": "ApiConnectionWebhook"
}
}
},"parameters": {
"$connections": {
"value": {
"azureeventgrid": {
"connectionId": "/subscriptions/{Azure-subscription-ID}/resourceGroups/{resourcegroup}/providers/Microsoft.Web/connections/{connection-name}","connectionName": "{connection-name}","connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
}
},"id": "/subscriptions/{Azure-subscription-ID}/providers/Microsoft.Web/locations/{Azure-region}/managedApis/azureeventgrid"
}
}
}
}
详情请参考
https://docs.microsoft.com/en-us/azure/logic-apps/create-managed-service-identity