问题描述
在ADF(Azure Data Factory)中,调用Azure Function App中的Function,遇见了 Failed to get MI access token
There was an error while calling endpoint with error message - 'Failed to get MI access token. The error message is: Acquire MI token from AAD failed.
ErrorCode: invalid_resource,
Message: AADSTS500011: The resource principal named https://xxxxxxxxxx.chinacloudsites.cn was not found in the tenant named ***************.
This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.
You might have sent your authentication request to the wrong tenant.
错误截图如下:
那么,如何来解决 Acquire MI Token from AAD Failed 的问题呢?
问题解答
出现Failed to get MI access token的问题,主要原因是: 在Azure Function Link Service 时,选择了Authentication Method为 System Assigned Managed Identity。
- 如果Funcation App没有启用认证(Authentication),只需要选择Anonymous(匿名)访问模式即可解决 Failed to get MI access token 问题。
- 但是只要选择了 System Assigned Managed Identity认证方式,在Resource ID的输入框中,没有输入任何内容。所以它默认使用了Function App 的 host url 作为 resource principal named。
如果输入的是其他值,则错误消息中,包含您输入的Resource ID值。如下图所示:
所以,解决这个问题的关键就是在ADF的Link Service中,配置正确的Resource ID(即被访问资源所生产的System Managed Identity App(Client) ID)。
具体的操作步骤,参考文章:https://www.cnblogs.com/lulight/articles/17195587.html
当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!