403在通过Azure API管理服务调用可持续函数状态查询时。

huangapple go评论65阅读模式
英文:

403 when calling durable function status query via Azure API Management Service

问题

我已配置并在Azure中运行了Azure Durable Functions Orchestration函数。

我还配置了Azure API Management服务以公开这个编排函数。

我可以成功通过Azure API Management服务调用编排函数,并获得202已接受的响应以及包含状态查询GET URL的Location标头,以便轮询编排函数的完成/失败等状态。

如果我直接调用与Azure函数相关的状态查询GET URL,例如:
https://some-ulr-to-the-function-app.azurewebsites.net/runtime/webhooks/durabletask/instances/cc970c6e2cb2426f99629c17cdd12345?code=q4NnjCbKTdBdH6712345dm4tnRRlYEAZ2tnZUliepmIKAzFuNUC0MQ==

我会得到一个200响应和编排状态的当前状态,正如预期的那样。

但是,如果我尝试通过Azure API Management服务公开此端点并尝试获取状态,我会收到403禁止的响应,例如:
https://some-ulr-to-apim-service.azure-api.net/runtime/webhooks/durabletask/instances/cc970c6e2cb2426f99629c17cdd12345?code=q4NnjCbKTdBdH6712345dm4tnRRlYEAZ2tnZUliepmIKAzFuNUC0MQ==

那么,是否可以通过Azure API Management服务公开这个端点呢?
如果可以,我应该配置什么以能够通过Azure API Management服务公开此端点?

我已经尝试通过Azure API Management服务的托管标识直接授予对存储帐户和包含此实例数据的表的直接访问权限,但仍然收到403禁止的结果。

在应用程序洞察中,我可以看到Azure API Management服务已按预期将请求传递给函数应用,但返回403的结果。

非常感谢任何帮助。

英文:

I have an Azure Durable Functions Orchestration function configured and running in Azure.

I also have an Azure API Management Service configured to expose the orchestration function.

I can successfully call the orchestration function via the Azure API Management Service and get the 202 accepted and the Location header with the status query GET URL to poll until the orchestration function completes/fails etc.

If I call the relevant status query GET URL directly to the azure function: e.g.
https://some-ulr-to-the-function-app.azurewebsites.net/runtime/webhooks/durabletask/instances/cc970c6e2cb2426f99629c17cdd12345?code=q4NnjCbKTdBdH6712345dm4tnRRlYEAZ2tnZUliepmIKAzFuNUC0MQ==

I get a 200 response and the current status of the orchestration as expected

If I try and expose this endpoint via the Azure API Management Service and attempt to get the status I get a 403 forbidden response. e.g.
https://some-ulr-to-apim-service.azure-api.net/runtime/webhooks/durabletask/instances/cc970c6e2cb2426f99629c17cdd12345?code=q4NnjCbKTdBdH6712345dm4tnRRlYEAZ2tnZUliepmIKAzFuNUC0MQ==

So can this, /runtime/webhooks/durabletask/instances/cc970c6e2cb2426f99629c17cdd12345?code=q4NnjCbKTdBdH6712345dm4tnRRlYEAZ2tnZUliepmIKAzFuNUC0MQ==, endpoint be exposed via the Azure API Management Service?
If so what should I look to be configuring to be able to expose this endpoint via the Azure API Management service?

I have tried giving direct access to the underlying storage account and tables where this instance data is held via the the managed identity of the Azure API Management Service but am still getting the 403 Forbidden result.

In Application Insights I can see that the Azure API Management Service has passed on the request to the function app as expected but with the 403 result.

Any help would be much appreciated

答案1

得分: 1

@in-pv 和我发现了解决该问题的方法。

摘要

如果通过 Azure API Management 服务查询可持久化函数的 statusQueryGetUri,请确保在该 API 请求中引用的后端没有在其授权凭据中定义自定义标头。

详细信息

在为 Azure 函数应用设置 API Management 服务后端时,Azure 会在后端的授权凭据中预配一个名为 x-functions-key 的标头。与 API Management 服务交互时,需要此标头,其值应为函数应用的密钥。如果排除此标头,尝试通过 API Management 服务调用 Azure 函数时将收到 401 未经授权的错误。

如果在查询可持久化函数的 statusQueryGetUri 时包括此标头,可持久化函数将返回 403 错误。必须从 API Management 服务后端的授权凭据中删除此标头,才能调用可持久化函数的状态终结点。

英文:

@in-pv and I discovered the solution to the issue.

Summary

If querying the durable function's statusQueryGetUri through Azure API Management Service, make sure that the backend referenced in that API request has no custom headers defined in it's authorization credentials.

Details

When setting up an API Management Service backend for an Azure Function App, Azure will provision a header called x-functions-key into the backend's authorization credentials. This header is required when interacting with your function app through the API Management Service, and it's value should be your function app key. If you exclude this header you will receive a 401 Unauthorized error when trying to call your azure function through the API Management service.

If this header is included when you query a durable functions's statusQueryGetUri, the durable function will return a 403 error. The header must be removed from the API Management Service backend authorization credentials for calls to the durable function status endpoint.

huangapple
  • 本文由 发表于 2023年6月19日 08:50:30
  • 转载请务必保留本文链接:https://go.coder-hub.com/76503056.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定