0

我可以通过使用来自存储帐户的访问密钥的连接字符串并将其放入功能应用程序设置来运行功能应用程序

功能应用设置

但是,如果我从存储帐户中的共享访问签名菜单生成 SAS 和连接字符串,并在我的函数应用设置中使用该连接字符串,我将无法运行函数。

这是我的 SAS 连接字符串:BlobEndpoint= https://StorageAccountName.blob.core.windows.net/;QueueEndpoint=https://StorageAccountName.queue.core.windows.net/;FileEndpoint=https://StorageAccountName.file .core.windows.net/;TableEndpoint=https://StorageAccountName.table.core.windows.net/;SharedAccessSignature=sv=2019-10-10&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-06-10T11:28:43Z&st =2020-06-10T03:28:43Z&spr=https,http&sig= {签名}

函数 Json

{
  "generatedBy": "Microsoft.NET.Sdk.Functions-3.0.1",
  "configurationSource": "attributes",
  "bindings": [
    {
      "type": "blobTrigger",
      "connection": "StorageAccountName",
      "path": "containerName/{name}",
      "name": "myBlob"
    }
  ],
  "disabled": false,
  "scriptFile": "../bin/FunctionDemoBlobTrigger.dll",
  "entryPoint": "BlobTriggerFunctionName.BlobTrigger.Run"
}

点击函数 URL 会出现“函数主机未运行”错误。

在测试模式下运行函数应用程序会出现“状态:500 内部服务器错误”错误。

更新 对连接字符串的 SharedAccessSignature 部分进行编码后,出现错误 在此处输入图像描述

4

2 回答 2

0

If you are specifying a SAS in a connection string in a configuration file, you may need to encode special characters in the URL via Html Encode.

<add name="AzureWebJobsStorage" connectionString="BlobEndpoint=https://xxx.blob.core.windows.net/;QueueEndpoint=https://brucechen01.queue.core.windows.net/;SharedAccessSignature=sv=2020-06-10&amp;ss=bq&amp;srt=sco&amp;sp=rwdlacup&amp;se=2020-06-30T18:39:25Z&amp;st=2020-06-25T10:39:25Z&amp;spr=https&amp;sig={signature}" />
于 2020-06-10T07:09:35.593 回答
0

I don't think it was supported to use the SAS connection string in AzureWebJobsStorage.

From the doc, here and here, always use the storage account key in AzureWebJobsStorage.

And if you try to create a new blob trigger in the portal, you will find only the app setting which meets the format as DefaultEndpointsProtocol=https;AccountName=[name];AccountKey=[key] will be found, any other value will appear unavailable. For the exisitng one, if you change the app setting, you will get the 500 error.

在此处输入图像描述

So if in your case, you don't want to use the accout key because of the security issue, there is a good workaround is to use the Azure keyvault.

将帐户密钥作为机密存储在keyvault中,启用函数应用的系统分配身份(目前不支持用户分配的身份,函数应用可以同时拥有两者),将其添加到访问策略的密钥库,然后指定应用程序设置,如@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931).

配置完成后,如下图。

在此处输入图像描述

有关更多详细信息,请参阅参考 -为应用服务和 Azure Functions 使用 Key Vault 参考

于 2020-06-11T05:45:04.943 回答