I have an Azure Function App, an Azure App Service, and an Azure Storage Account. The Function uses HttpClient to make a GET request to one of the ASP.NET MVC actions on the Azure App Service. In both the App Service and Function App, I have gone to the Identity blade in Azure Portal and enabled a system identity. I am unclear about what additional configuration I need to perform to allow the Function App to be authorized to call an action hosted in the ASP.NET MVC app hosted on the App Service.
In the ASP.NET Core 3.1 App, I have a pretty typical Startup.cs Configure method:
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
Here is the controller action signature that I want the Function App to make the GET Request to (it generates a PDF):
[Authorize]
[Route("/GenerateFile")]
public async Task<IActionResult> GenerateFile(string id, double customerId, string version)
Then in the Azure Function App (version 3 function app) this is where I am trying to make the HTTP GET Request.
try
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync(reportReviewURL);
_http.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
// Generates the Final PDF file that is then saved to Azure Storage in the orders container. This is what is served to the customer.
var response = await _http.GetAsync(reportReviewURL + "GenerateFile?version=Final&customerId=" + reportOrder.CustomerId + "&id=" + id);
response.EnsureSuccessStatusCode();
}
catch (HttpRequestException ex)
{
log.LogInformation("HttpRequestException thrown: " + ex.Message);
}
The error message I am receiving is:
Parameters: Connection String: [No connection string specified], Resource: https://MYCUSTOMURL, Authority: . Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Failed after 5 retries. MSI ResponseCode: InternalServerError, Response: {"exceptionMessage":"AADSTS500011: The resource principal named https://MYCUSTOMURL was not found in the tenant named MYAZURETENANT. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.\r\nTrace ID: 4f401265-9163-45de-bce9-4744ce633d00\r\nCorrelation ID: 3e312f90-3ea6-45a4-87d4-36416d1b19f0\r\nTimestamp: 2020-10-12 14:26:00Z","errorCode":"invalid_resource","serviceErrorCodes":["500011"],"statusCode":400,"message":null,"correlationId":"e5f8c439-97a6-462f-a3b9-32b167b9057a"}
I've of course replaced my apps custom domain and our tenant ID for privacy.
