您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure 逻辑应用中的安全访问和数据Secure access and data in Azure Logic Apps

若要在 Azure 逻辑应用中控制访问和保护数据,你可以在以下方面设置安全性:To control access and protect data in Azure Logic Apps, you can set up security in these areas:

访问基于请求的触发器Access to request-based triggers

如果逻辑应用使用基于请求的触发器来接收传入的调用或请求,如请求Webhook触发器,则可以限制访问,以便只有经过授权的客户端才能调用逻辑应用。If your logic app uses a request-based trigger, which receives incoming calls or requests, such as the Request or Webhook trigger, you can limit access so that only authorized clients can call your logic app. 逻辑应用接收到的所有请求都使用安全套接字层 (SSL) 协议进行加密和保护。All requests received by a logic app are encrypted and secured with Secure Sockets Layer (SSL) protocol.

以下是可帮助你保护对此触发器类型的访问的选项:Here are options that can help you secure access to this trigger type:

生成共享访问签名(SAS)Generate shared access signatures (SAS)

逻辑应用上的每个请求终结点在终结点的 URL 中都有一个共享访问签名(SAS) ,其格式如下:Every request endpoint on a logic app has a Shared Access Signature (SAS) in the endpoint's URL, which follows this format:

https://<request-endpoint-URI>sp=<permissions>sv=<SAS-version>sig=<signature>

每个 URL 都包含此表中所述的 spsvsig 查询参数:Each URL contains the sp, sv, and sig query parameter as described in this table:

查询参数Query parameter 说明Description
sp 指定允许的 HTTP 方法使用的权限。Specifies permissions for the permitted HTTP methods to use.
sv 指定用于生成签名的 SAS 版本。Specifies the SAS version to use for generating the signature.
sig 指定用于对触发器的访问进行身份验证的签名。Specifies the signature to use for authenticating access to the trigger. 此签名是通过对所有 URL 路径和属性使用 SHA256 算法和密钥访问密钥生成的。This signature is generated by using the SHA256 algorithm with a secret access key on all the URL paths and properties. 此密钥永远不会公开或发布,并与逻辑应用一起存储。Never exposed or published, this key is kept encrypted and stored with the logic app. 逻辑应用仅向那些包含有效签名(使用密钥创建)的触发器授权。Your logic app authorizes only those triggers that contain a valid signature created with the secret key.

有关使用 SAS 保护访问的详细信息,请参阅本主题中的以下部分:For more information about securing access with SAS, see these sections in this topic:

重新生成访问密钥Regenerate access keys

若要随时生成新的安全访问密钥,请使用 Azure REST API 或 Azure 门户。To generate a new security access key at any time, use the Azure REST API or Azure portal. 所有以前生成的使用旧密钥的 Url 均失效,不再有权触发逻辑应用。All previously generated URLs that use the old key are invalidated and no longer have authorization to trigger the logic app. 重新生成后检索的 Url 会使用新的访问密钥进行签名。The URLs that you retrieve after regeneration are signed with the new access key.

  1. Azure 门户中,打开包含要重新生成的密钥的逻辑应用。In the Azure portal, open the logic app that has the key you want to regenerate.

  2. 在逻辑应用菜单的“设置”下,选择“访问密钥”。On the logic app's menu, under Settings, select Access Keys.

  3. 选择要重新生成的密钥并完成该过程。Select the key that you want to regenerate and finish the process.

创建过期回调 UrlCreate expiring callback URLs

如果与其他参与方共享基于请求的触发器的终结点 URL,则可以生成使用特定密钥并具有到期日期的回调 Url。If you share the endpoint URL for a request-based trigger with other parties, you can generate callback URLs that use specific keys and have expiration dates. 这样,你就可以无缝地滚动密钥,或限制访问以根据特定时间跨度触发逻辑应用。That way, you can seamlessly roll keys or restrict access to triggering your logic app based on a specific timespan. 若要为 URL 指定过期日期,请使用REST API 逻辑应用,例如:To specify an expiration date for a URL, use the Logic Apps REST API, for example:

POST /subscriptions/<Azure-subscription-ID>/resourceGroups/<Azure-resource-group-name>/providers/Microsoft.Logic/workflows/<workflow-name>/triggers/<trigger-name>/listCallbackUrl?api-version=2016-06-01

在正文中,使用 JSON 日期字符串包含 NotAfter属性。In the body, include the NotAfterproperty by using a JSON date string. 该属性返回仅在 NotAfter 日期和时间之前有效的回调 URL。This property returns a callback URL that's valid only until the NotAfter date and time.

创建附带主密钥或辅助密钥的 URLCreate URLs with primary or secondary secret key

为基于请求的触发器生成或列出回调 Url 时,可以指定用于对 URL 进行签名的密钥。When you generate or list callback URLs for a request-based trigger, you can specify the key to use for signing the URL. 若要生成由特定密钥签名的 URL,请使用REST API 逻辑应用,例如:To generate a URL that's signed by a specific key, use the Logic Apps REST API, for example:

POST /subscriptions/<Azure-subscription-ID>/resourceGroups/<Azure-resource-group-name>/providers/Microsoft.Logic/workflows/<workflow-name>/triggers/<trigger-name>/listCallbackUrl?api-version=2016-06-01

在正文中,包含值为 KeyTypePrimarySecondary 属性。In the body, include the KeyType property as either Primary or Secondary. 此属性返回由指定安全密钥签名的 URL。This property returns a URL that's signed by the specified security key.

限制入站 IP 地址Restrict inbound IP addresses

与共享访问签名(SAS)一起,你可能想要专门限制可调用逻辑应用的客户端。Along with Shared Access Signature (SAS), you might want to specifically limit the clients that can call your logic app. 例如,如果使用 Azure API 管理来管理请求终结点,则可以将逻辑应用限制为仅接受来自 API 管理实例的 IP 地址的请求。For example, if you manage your request endpoint by using Azure API Management, you can restrict your logic app to accept requests only from the IP address for the API Management instance.

限制 Azure 门户中的入站 IP 范围Restrict inbound IP ranges in Azure portal

  1. Azure 门户的逻辑应用设计器中打开逻辑应用。In the Azure portal, open your logic app in the Logic App Designer.

  2. 在逻辑应用的菜单中,在“设置”下,选择“工作流设置”。On your logic app's menu, under Settings, select Workflow settings.

  3. 在“访问控制配置” “允许的入站 IP 地址”下,选择“特定 IP 范围” > 。Under Access control configuration > Allowed inbound IP addresses, select Specific IP ranges.

  4. 在“触发器的 IP 范围”下,请指定触发器接受的 IP 地址范围。Under IP ranges for triggers, specify the IP address ranges that the trigger accepts.

    有效的 IP 范围使用这些格式:x.x.x.x/x 或 x.x.x.x-x.x.x.xA valid IP range uses these formats: x.x.x.x/x or x.x.x.x-x.x.x.x

如果希望逻辑应用仅作为嵌套逻辑应用触发,请在 "允许的入站 IP 地址" 列表中,选择 "仅限其他逻辑应用"。If you want your logic app to trigger only as a nested logic app, from the Allowed inbound IP addresses list, select Only other Logic Apps. 此选项将空数组写入逻辑应用资源。This option writes an empty array to your logic app resource. 这样一来,只有来自逻辑应用服务(父逻辑应用)的调用才能触发嵌套的逻辑应用。That way, only calls from the Logic Apps service (parent logic apps) can trigger the nested logic app.

备注

无论 IP 地址如何,仍可通过 Azure REST API 或 API 管理使用 /triggers/<trigger-name>/run 来运行具有基于请求的触发器的逻辑应用。Regardless of IP address, you can still run a logic app that has a request-based trigger by using /triggers/<trigger-name>/run through the Azure REST API or through API Management. 但是,此方案仍需要针对 Azure REST API 进行身份验证。However, this scenario still requires authentication against the Azure REST API. 所有事件都显示在 Azure 审核日志中。All events appear in the Azure Audit Log. 请确保相应地设置访问控制策略。Make sure that you set access control policies accordingly.

限制 Azure 资源管理器模板中的入站 IP 范围Restrict inbound IP ranges in Azure Resource Manager template

如果使用资源管理器模板自动部署逻辑应用,则可以通过将 accessControl 部分与逻辑应用的资源定义中的 triggers 部分结合使用来指定 IP 范围,例如:If you automate deployment for logic apps by using Resource Manager templates, you can specify the IP ranges by using the accessControl section with the triggers section in your logic app's resource definition, for example:

{
   "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
   "resources": [
      {
         "name": "[parameters('LogicAppName')]",
         "type": "Microsoft.Logic/workflows",
         "location": "[parameters('LogicAppLocation')]",
         "tags": {
            "displayName": "LogicApp"
         },
         "apiVersion": "2016-06-01",
         "properties": {
            "definition": {<workflow-definition>},
            "parameters": {},
            "accessControl": {
               "triggers": {
                  "allowedCallerIpAddresses": [
                     {
                        "addressRange": "192.168.12.0/23"
                     },
                     {
                        "addressRange": "2001:0db8::/64"
                     }
                  ]
               }
            }
         }
      }
   ],
   "outputs": {}
}

添加 Azure Active Directory OAuth 或其他安全性Add Azure Active Directory OAuth or other security

若要将更多授权协议添加到逻辑应用,请考虑使用AZURE API 管理服务。To add more authorization protocols to your logic app, consider using the Azure API Management service. 此服务可帮助你将逻辑应用作为 API 公开,并为任何终结点提供丰富的监视、安全、策略和文档。This service helps you expose your logic app as an API and offers rich monitoring, security, policy, and documentation for any endpoint. API 管理可以公开逻辑应用的公共或专用终结点。API Management can expose a public or private endpoint for your logic app. 若要授予对此终结点的访问权限,可以使用Azure Active Directory OAuth客户端证书或其他安全标准来授权访问该终结点。To authorize access to this endpoint, you can use Azure Active Directory OAuth, client certificate, or other security standards for authorizing access to that endpoint. 当 API 管理收到请求时,此服务会将请求发送到逻辑应用,同时也会进行任何必要的转换或限制。When API Management receives a request, the service sends the request to your logic app, also making any necessary transformations or restrictions along the way. 若要仅允许 API 管理触发逻辑应用,可以使用逻辑应用的入站 IP 范围设置。To let only API Management trigger your logic app, you can use your logic app's inbound IP range settings.

逻辑应用操作的访问权限Access to logic app operations

你可以仅允许特定用户或组运行特定任务,如管理、编辑和查看逻辑应用。You can permit only specific users or groups to run specific tasks, such as managing, editing, and viewing logic apps. 要控制其权限,请使用Azure 基于角色的访问控制(RBAC) ,以便可以将自定义或内置角色分配给 Azure 订阅中的成员:To control their permissions, use Azure Role-Based Access Control (RBAC) so that you can assign customized or built-in roles to the members in your Azure subscription:

要防止他人更改或删除逻辑应用,可以使用 Azure 资源锁To prevent others from changing or deleting your logic app, you can use Azure Resource Lock. 此功能可以防止其他人更改或删除生产资源。This capability prevents others from changing or deleting production resources.

运行历史记录数据的访问权限Access to run history data

在逻辑应用运行期间,在传输过程中使用传输层安全性(TLS)和静态加密所有数据。During a logic app run, all the data is encrypted during transit by using Transport Layer Security (TLS) and at rest. 逻辑应用完成运行后,可以查看该运行的历史记录,包括运行的步骤以及每个操作的状态、持续时间、输入和输出。When your logic app finishes running, you can view the history for that run, including the steps that ran along with the status, duration, inputs, and outputs for each action. 此丰富的详细信息可让你深入了解逻辑应用的运行情况,以及你可以在何处开始解决出现的任何问题。This rich detail provides insight into how your logic app ran and where you might start troubleshooting any problems that arise.

查看逻辑应用的运行历史记录时,逻辑应用会对访问进行身份验证,并提供每次运行的请求和响应的输入和输出的链接。When you view your logic app's run history, Logic Apps authenticates your access and then provides links to the inputs and outputs for the requests and responses for each run. 但是,对于处理任何密码、机密、密钥或其他敏感信息的操作,你希望阻止其他人查看和访问该数据。However, for actions that handle any passwords, secrets, keys, or other sensitive information, you want to prevent others from viewing and accessing that data. 例如,如果逻辑应用从Azure Key Vault获取要在对 HTTP 操作进行身份验证时使用的机密,则需要将该机密从视图中隐藏。For example, if your logic app gets a secret from Azure Key Vault to use when authenticating an HTTP action, you want to hide that secret from view.

若要在逻辑应用的运行历史记录中控制对输入和输出的访问,你可以使用以下选项:To control access to the inputs and outputs in your logic app's run history, you have these options:

按 IP 地址范围限制访问Restrict access by IP address range

可以在逻辑应用的运行历史记录中限制对输入和输出的访问,以便只有来自特定 IP 地址范围的请求才能查看这些数据。You can limit access to the inputs and outputs in your logic app's run history so that only requests from specific IP address ranges can view that data. 例如,若要阻止任何人访问输入和输出,请指定 IP 地址范围,如 0.0.0.0-0.0.0.0For example, to block anyone from accessing inputs and outputs, specify an IP address range such as 0.0.0.0-0.0.0.0. 只有具有管理员权限的人员才可以删除此限制,这将为逻辑应用的数据提供 "实时" 访问的可能性。Only a person with administrator permissions can remove this restriction, which provides the possibility for "just-in-time" access to your logic app's data. 你可以使用 Azure 门户或用于逻辑应用部署的 Azure 资源管理器模板指定要限制的 IP 范围。You can specify the IP ranges to restrict either by using the Azure portal or in an Azure Resource Manager template that you use for logic app deployment.

限制 Azure 门户中的 IP 范围Restrict IP ranges in Azure portal

  1. 在 Azure 门户的逻辑应用设计器中打开逻辑应用。In the Azure portal, open your logic app in the Logic App Designer.

  2. 在逻辑应用的菜单中,在“设置”下,选择“工作流设置”。On your logic app's menu, under Settings, select Workflow settings.

  3. 在“访问控制配置” “允许的入站 IP 地址”下,选择“特定 IP 范围” > 。Under Access control configuration > Allowed inbound IP addresses, select Specific IP ranges.

  4. 在“内容的 IP 范围”下,指定可以访问输入和输出中内容的 IP 地址范围。Under IP ranges for contents, specify the IP address ranges that can access content from inputs and outputs.

    有效的 IP 范围使用这些格式:x.x.x.x/x 或 x.x.x.x-x.x.x.xA valid IP range uses these formats: x.x.x.x/x or x.x.x.x-x.x.x.x

限制 Azure 资源管理器模板中的 IP 范围Restrict IP ranges in Azure Resource Manager template

如果使用资源管理器模板自动部署逻辑应用,则可以通过将 accessControl 部分与逻辑应用的资源定义中的 contents 部分结合使用来指定 IP 范围,例如:If you automate deployment for logic apps by using Resource Manager templates, you can specify the IP ranges by using the accessControl section with the contents section in your logic app's resource definition, for example:

{
   "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {},
   "variables": {},
   "resources": [
      {
         "name": "[parameters('LogicAppName')]",
         "type": "Microsoft.Logic/workflows",
         "location": "[parameters('LogicAppLocation')]",
         "tags": {
            "displayName": "LogicApp"
         },
         "apiVersion": "2016-06-01",
         "properties": {
            "definition": {<workflow-definition>},
            "parameters": {},
            "accessControl": {
               "contents": {
                  "allowedCallerIpAddresses": [
                     {
                        "addressRange": "192.168.12.0/23"
                     },
                     {
                        "addressRange": "2001:0db8::/64"
                     }
                  ]
               }
            }
         }
      }
   ],
   "outputs": {}
}

使用混淆隐藏运行历史记录中的数据Hide data from run history by using obfuscation

许多触发器和操作都具有从逻辑应用的运行历史记录中隐藏输入和/或输出的设置。Many triggers and actions have settings to hide inputs, outputs, or both from a logic app's run history. 当你使用这些设置帮助你保护此类数据时,请注意以下事项Here are some considerations to review when you use these settings to help you secure this data.

在设计器中隐藏输入和输出Hide inputs and outputs in the designer

  1. Azure 门户的逻辑应用设计器中打开逻辑应用。In the Azure portal, open your logic app in the Logic App Designer.

    在逻辑应用设计器中打开逻辑应用

  2. 在要隐藏敏感数据的触发器或操作上,选择省略号( ... )按钮,然后选择 "设置"。On the trigger or action where you want to hide sensitive data, select the ellipses (...) button, and then select Settings.

    打开触发器或操作设置

  3. 启用安全输入和/或安全输出Turn on either Secure Inputs, Secure Outputs, or both. 完成后,选择“完成”。When you're finished, select Done.

    打开 "安全输入" 或 "安全输出"

    操作或触发器现在在标题栏中显示锁定图标。The action or trigger now shows a lock icon in the title bar.

    操作或触发器标题栏显示锁定图标

    表示以前操作的安全输出的标记也显示锁图标。Tokens that represent secured outputs from previous actions also show lock icons. 例如,从 "动态内容" 列表中选择要在操作中使用的此类输出时,该令牌将显示一个锁状图标。For example, when you select such an output from the dynamic content list to use in an action, that token shows a lock icon.

    为安全输出选择标记

  4. 逻辑应用运行后,可以查看该运行的历史记录。After the logic app runs, you can view the history for that run.

    1. 在逻辑应用的 "概述" 窗格上,选择要查看的运行。On the logic app's Overview pane, select the run that you want to view.

    2. 在 "逻辑应用运行" 窗格上,展开要查看的操作。On the Logic app run pane, expand the actions that you want to review.

      如果选择同时遮蔽输入和输出,这些值现在会显示为隐藏。If you chose to obscure both inputs and outputs, those values now appear hidden.

      运行历史记录中隐藏的输入和输出

在代码视图中隐藏输入和输出Hide inputs and outputs in code view

在基础触发器或操作定义中,添加或更新其中一个或两个值的 runtimeConfiguration.secureData.properties 数组:In the underlying trigger or action definition, add or update the runtimeConfiguration.secureData.properties array with either or both of these values:

  • "inputs":保护运行历史记录中的输入。"inputs": Secures inputs in run history.
  • "outputs":保护运行历史记录中的输出。"outputs": Secures outputs in run history.

当你使用这些设置帮助你保护此类数据时,请注意以下事项Here are some considerations to review when you use these settings to help you secure this data.

"<trigger-or-action-name>": {
   "type": "<trigger-or-action-type>",
   "inputs": {
      <trigger-or-action-inputs>
   },
   "runtimeConfiguration": {
      "secureData": {
         "properties": [
            "inputs",
            "outputs"
         ]
      }
   },
   <other-attributes>
}

隐藏输入和输出时的注意事项Considerations when hiding inputs and outputs

  • 当隐藏触发器或操作的输入或输出时,逻辑应用不会将受保护的数据发送到 Azure Log Analytics。When you obscure the inputs or outputs on a trigger or action, Logic Apps doesn't send the secured data to Azure Log Analytics. 此外,不能将跟踪的属性添加到该触发器或操作进行监视。Also, you can't add tracked properties to that trigger or action for monitoring.

  • 用于处理工作流历史记录的逻辑应用 API不返回安全输出。The Logic Apps API for handling workflow history doesn't return secured outputs.

  • 若要从遮盖输入或显式隐藏输出的操作中隐藏输出,请在该操作中手动打开安全输出To hide outputs from an action that obscures inputs or explicitly obscures outputs, manually turn on Secure Outputs in that action.

  • 请确保在期望运行历史记录掩盖数据的下游操作中启用安全输入安全输出Make sure that you turn on Secure Inputs or Secure Outputs in downstream actions where you expect the run history to obscure that data.

    安全输出设置Secure Outputs setting

    在触发器或操作中手动打开安全输出时,逻辑应用将在运行历史记录中保护这些输出。When you manually turn on Secure Outputs in a trigger or action, Logic Apps secures these outputs in the run history. 如果下游操作显式使用这些安全输出作为输入,则逻辑应用会在运行历史记录中隐藏此操作的输入,但不会启用该操作的安全输入设置。If a downstream action explicitly uses these secured outputs as inputs, Logic Apps hides this action's inputs in the run history, but doesn't enable the action's Secure Inputs setting.

    作为输入以及对大多数操作的下游的影响的安全输出

    撰写、分析 JSON 和响应操作仅具有安全输入设置。The Compose, Parse JSON, and Response actions has only the Secure Inputs setting. 启用后,此设置还将隐藏这些操作的输出。When turned on, the setting also hides these actions' outputs. 如果这些操作显式使用上游安全输出作为输入,则逻辑应用会隐藏这些操作的输入和输出,但不会启用这些操作的安全输入设置。If these actions explicitly use the upstream secured outputs as inputs, Logic Apps hides these actions' inputs and outputs, but doesn't enable these actions' Secure Inputs setting. 如果下游操作显式使用来自撰写的隐藏输出,分析 JSON 或响应操作作为输入,则逻辑应用不会隐藏此下游操作的输入或输出If a downstream action explicitly uses the hidden outputs from the Compose, Parse JSON, or Response actions as inputs, Logic Apps doesn't hide this downstream action's inputs or outputs.

    作为输入的安全输出,具有对特定操作的下游影响

    安全输入设置Secure Inputs setting

    在触发器或操作中手动启用安全输入时,逻辑应用将在运行历史记录中保护这些输入。When you manually turn on Secure Inputs in a trigger or action, Logic Apps secures these inputs in the run history. 如果下游操作显式使用该触发器或操作的可见输出作为输入,则逻辑应用会在运行历史记录中隐藏此下游操作的输入,但不会在此操作中启用安全输入,也不会隐藏此操作的输出。If a downstream action explicitly uses the visible outputs from that trigger or action as inputs, Logic Apps hides this downstream action's inputs in the run history, but doesn't enable Secure Inputs in this action and doesn't hide this action's outputs.

    受保护的输入和下游对大多数操作的影响

    如果撰写、分析 JSON 和响应操作显式使用具有受保护输入的触发器或操作中的可见输出,则逻辑应用会隐藏这些操作的输入和输出,但不会启用这些操作的安全输入设置。If the Compose, Parse JSON, and Response actions explicitly use the visible outputs from the trigger or action that has the secured inputs, Logic Apps hides these actions' inputs and outputs, but doesn't enable these action's Secure Inputs setting. 如果下游操作显式使用来自撰写的隐藏输出,分析 JSON 或响应操作作为输入,则逻辑应用不会隐藏此下游操作的输入或输出If a downstream action explicitly uses the hidden outputs from the Compose, Parse JSON, or Response actions as inputs, Logic Apps doesn't hide this downstream action's inputs or outputs.

    受保护的输入和对特定操作的下游影响

访问参数输入Access to parameter inputs

如果在不同的环境中进行部署,请考虑在工作流定义中参数化根据这些环境而变化的值。If you deploy across different environments, consider parameterizing the values in your workflow definition that vary based on those environments. 这样一来,你就可以通过使用Azure 资源管理器模板来部署逻辑应用、通过定义受保护的参数来保护敏感数据,并通过使用参数文件将该数据作为单独的输入传递,来避免使用硬编码数据。That way, you can avoid hard-coded data by using an Azure Resource Manager template to deploy your logic app, protect sensitive data by defining secured parameters, and pass that data as separate inputs through the template's parameters by using a parameter file.

例如,如果使用Azure Active Directory OAuth对 HTTP 操作进行身份验证,则可以定义并掩盖接受用于身份验证的客户端 ID 和客户端密码的参数。For example, if you authenticate HTTP actions with Azure Active Directory OAuth, you can define and obscure the parameters that accept the client ID and client secret that are used for authentication. 若要在逻辑应用中定义这些参数,请使用逻辑应用的工作流定义中的 parameters 部分,并为部署资源管理器模板。To define these parameters in your logic app, use the parameters section in your logic app's workflow definition and Resource Manager template for deployment. 若要隐藏编辑逻辑应用或查看运行历史记录时不希望显示的参数值,请使用 securestringsecureobject 类型定义参数,并在必要时使用编码。To hide parameter values that you don't want shown when editing your logic app or viewing run history, define the parameters by using the securestring or secureobject type and use encoding as necessary. 具有此类型的参数不会随资源定义一起返回,且在部署后查看资源时不可访问。Parameters that have this type aren't returned with the resource definition and aren't accessible when viewing the resource after deployment. 若要在运行时访问这些参数值,请使用工作流定义中的 @parameters('<parameter-name>') 表达式。To access these parameter values during runtime, use the @parameters('<parameter-name>') expression inside your workflow definition. 此表达式仅在运行时进行计算,由工作流定义语言进行描述。This expression is evaluated only at runtime and is described by the Workflow Definition Language.

备注

如果在请求标头或正文中使用参数,则在查看逻辑应用的运行历史记录和传出 HTTP 请求时,该参数可能可见。If you use a parameter in a request header or body, that parameter might be visible when you view your logic app's run history and outgoing HTTP request. 请确保同时设置内容访问策略。Make sure that you also set your content access policies accordingly. 还可以使用模糊处理在运行历史记录中隐藏输入和输出。You can also use obfuscation to hide inputs and outputs in your run history. 始终不能通过输入或输出看见授权标头。Authorization headers are never visible through inputs or outputs. 因此,如果在此处使用机密,则无法检索该机密。So if a secret is used there, that secret isn't retrievable.

有关详细信息,请参阅本主题中的以下部分:For more information, see these sections in this topic:

如果使用资源管理器模板自动部署逻辑应用,则可以通过使用 securestringsecureobject 类型定义在部署时计算的受保护模板参数If you automate deployment for logic apps by using Resource Manager templates, you can define secured template parameters, which are evaluated at deployment, by using the securestring and secureobject types. 若要定义模板参数,请使用模板的顶层 parameters 部分,该部分是独立的,不同于工作流定义的 parameters 部分。To define template parameters, use your template's top level parameters section, which is separate and different from your workflow definition's parameters section. 若要提供模板参数的值,请使用单独的参数文件To provide the values for template parameters, use a separate parameter file.

例如,如果使用机密,你可以定义和使用安全的模板参数,以便在部署时从Azure Key Vault检索这些机密。For example, if you use secrets, you can define and use secured template parameters that retrieve those secrets from Azure Key Vault at deployment. 然后,你可以在参数文件中引用密钥保管库和机密。You can then reference the key vault and secret in your parameter file. 有关详细信息,请参阅以下主题:For more information, see these topics:

工作流定义中的安全参数Secure parameters in workflow definitions

若要在逻辑应用的工作流定义中保护敏感信息,请使用受保护的参数,以便在保存逻辑应用后,此信息不可见。To protect sensitive information in your logic app's workflow definition, use secured parameters so this information isn't visible after you save your logic app. 例如,假设有一个 HTTP 操作需要使用用户名和密码的基本身份验证。For example, suppose you have an HTTP action requires basic authentication, which uses a username and password. 在工作流定义中,parameters 部分通过使用 securestring 类型定义 basicAuthPasswordParambasicAuthUsernameParam 参数。In the workflow definition, the parameters section defines the basicAuthPasswordParam and basicAuthUsernameParam parameters by using the securestring type. 然后,操作定义将引用 authentication 部分中的这些参数。The action definition then references these parameters in the authentication section.

"definition": {
   "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
   "actions": {
      "HTTP": {
         "type": "Http",
         "inputs": {
            "method": "GET",
            "uri": "https://www.microsoft.com",
            "authentication": {
               "type": "Basic",
               "username": "@parameters('basicAuthUsernameParam')",
               "password": "@parameters('basicAuthPasswordParam')"
            }
         },
         "runAfter": {}
      }
   },
   "parameters": {
      "basicAuthPasswordParam": {
         "type": "securestring"
      },
      "basicAuthUsernameParam": {
         "type": "securestring"
      }
   },
   "triggers": {
      "manual": {
         "type": "Request",
         "kind": "Http",
         "inputs": {
            "schema": {}
         }
      }
   },
   "contentVersion": "1.0.0.0",
   "outputs": {}
}

Azure 资源管理器模板中的安全参数Secure parameters in Azure Resource Manager templates

逻辑应用的资源管理器模板包含多个 parameters 部分。A Resource Manager template for a logic app has multiple parameters sections. 若要保护密码、密钥、机密和其他敏感信息,请使用 securestringsecureobject 类型在模板级别和工作流定义级别定义安全参数。To protect passwords, keys, secrets, and other sensitive information, define secured parameters at the template level and workflow definition level by using the securestring or secureobject type. 然后,你可以将这些值存储在Azure Key Vault中,并使用参数文件来引用密钥保管库和机密。You can then store these values in Azure Key Vault and use the parameter file to reference the key vault and secret. 然后,模板会在部署时检索该信息。Your template then retrieves that information at deployment. 有关详细信息,请参阅在部署时使用 Azure Key Vault 传递敏感值For more information, see Pass sensitive values at deployment by using Azure Key Vault.

下面是有关这些 parameters 部分的详细信息:Here is more information about these parameters sections:

  • 在模板的顶层,parameters 部分定义模板在部署时使用的值的参数。At the template's top level, a parameters section defines the parameters for the values that the template uses at deployment. 例如,这些值可能包含特定部署环境的连接字符串。For example, these values can include connection strings for a specific deployment environment. 然后,可以将这些值存储在单独的参数文件中,这会使更改这些值变得更容易。You can then store these values in a separate parameter file, which makes changing these values easier.

  • 在逻辑应用的资源定义中,但在工作流定义外,parameters 节指定工作流定义的参数的值。Inside your logic app's resource definition, but outside your workflow definition, a parameters section specifies the values for your workflow definition's parameters. 在本部分中,可以使用引用模板参数的模板表达式来分配这些值。In this section, you can assign these values by using template expressions that reference your template's parameters. 这些表达式是在部署时计算的。These expressions are evaluated at deployment.

  • 在工作流定义中,parameters 节定义逻辑应用在运行时使用的参数。Inside your workflow definition, a parameters section defines the parameters that your logic app uses at runtime. 然后,可以使用在运行时计算的工作流定义表达式来引用逻辑应用工作流中的这些参数。You can then reference these parameters inside your logic app's workflow by using workflow definition expressions, which are evaluated at runtime.

此示例模板具有使用 securestring 类型的多个安全参数定义:This example template that has multiple secured parameter definitions that use the securestring type:

参数名称Parameter name 说明Description
TemplatePasswordParam 一个模板参数,它接受随后传递到工作流定义的 basicAuthPasswordParam 参数的密码A template parameter that accepts a password that is then passed to the workflow definition's basicAuthPasswordParam parameter
TemplateUsernameParam 一个模板参数,该参数接受用户名,然后将其传递给工作流定义的 basicAuthUserNameParam 参数A template parameter that accepts a username that is then passed to the workflow definition's basicAuthUserNameParam parameter
basicAuthPasswordParam 一个工作流定义参数,该参数接受 HTTP 操作中基本身份验证的密码A workflow definition parameter that accepts the password for basic authentication in an HTTP action
basicAuthUserNameParam 一个工作流定义参数,该参数接受 HTTP 操作中用于基本身份验证的用户名A workflow definition parameter that accepts the username for basic authentication in an HTTP action
{
   "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
   "contentVersion": "1.0.0.0",
   "parameters": {
      "LogicAppName": {
         "type": "string",
         "minLength": 1,
         "maxLength": 80,
         "metadata": {
            "description": "Name of the Logic App."
         }
      },
      "TemplatePasswordParam": {
         "type": "securestring"
      },
      "TemplateUsernameParam": {
         "type": "securestring"
      },
      "LogicAppLocation": {
         "type": "string",
         "defaultValue": "[resourceGroup().location]",
         "allowedValues": [
            "[resourceGroup().location]",
            "eastasia",
            "southeastasia",
            "centralus",
            "eastus",
            "eastus2",
            "westus",
            "northcentralus",
            "southcentralus",
            "northeurope",
            "westeurope",
            "japanwest",
            "japaneast",
            "brazilsouth",
            "australiaeast",
            "australiasoutheast",
            "southindia",
            "centralindia",
            "westindia",
            "canadacentral",
            "canadaeast",
            "uksouth",
            "ukwest",
            "westcentralus",
            "westus2"
         ],
         "metadata": {
            "description": "Location of the Logic App."
         }
      }
   },
   "variables": {},
   "resources": [
      {
         "name": "[parameters('LogicAppName')]",
         "type": "Microsoft.Logic/workflows",
         "location": "[parameters('LogicAppLocation')]",
         "tags": {
            "displayName": "LogicApp"
         },
         "apiVersion": "2016-06-01",
         "properties": {
            "definition": {
               "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-0601/workflowdefinition.json#",
               "actions": {
                  "HTTP": {
                     "type": "Http",
                     "inputs": {
                        "method": "GET",
                        "uri": "https://www.microsoft.com",
                        "authentication": {
                           "type": "Basic",
                           "username": "@parameters('basicAuthUsernameParam')",
                           "password": "@parameters('basicAuthPasswordParam')"
                        }
                     },
                  "runAfter": {}
                  }
               },
               "parameters": {
                  "basicAuthPasswordParam": {
                     "type": "securestring"
                  },
                  "basicAuthUsernameParam": {
                     "type": "securestring"
                  }
               },
               "triggers": {
                  "manual": {
                     "type": "Request",
                     "kind": "Http",
                     "inputs": {
                        "schema": {}
                     }
                  }
               },
               "contentVersion": "1.0.0.0",
               "outputs": {}
            },
            "parameters": {
               "basicAuthPasswordParam": {
                  "value": "[parameters('TemplatePasswordParam')]"
               },
               "basicAuthUsernameParam": {
                  "value": "[parameters('TemplateUsernameParam')]"
               }
            }
         }
      }
   ],
   "outputs": {}
}

访问逻辑应用中调用的服务和系统Access to services and systems called from logic apps

下面是一些可帮助保护接收来自逻辑应用的调用或请求的终结点的方法:Here are some ways that you can help secure endpoints that receive calls or requests from your logic app:

  • 将身份验证添加到出站请求。Add authentication to outbound requests.

    使用基于 HTTP 的触发器或执行出站调用的操作(如 HTTP、HTTP + Swagger 或 Webhook)时,可以向逻辑应用发送的请求添加身份验证。When you work with an HTTP-based trigger or action that makes outbound calls, such as HTTP, HTTP + Swagger, or Webhook, you can add authentication to the request that's sent by your logic app. 例如,可以使用以下身份验证类型:For example, you can use these authentication types:

    有关详细信息,请参阅本主题后面的将身份验证添加到出站调用For more information, see Add authentication to outbound calls later in this topic.

  • 限制对逻辑应用 IP 地址的访问。Restrict access from logic app IP addresses.

    从逻辑应用对终结点进行的所有调用源自基于逻辑应用区域的特定指定 IP 地址。All calls to endpoints from logic apps originate from specific designated IP addresses that are based on your logic apps' regions. 可以添加仅接受来自这些 IP 地址的请求的筛选规则。You can add filtering that accepts requests only from those IP addresses. 若要获取这些 IP 地址,请参阅Azure 逻辑应用的限制和配置To get these IP addresses, see Limits and configuration for Azure Logic Apps.

  • 提高与本地系统的连接的安全性。Improve security for connections to on-premises systems.

    Azure 逻辑应用提供与这些服务的集成,以帮助提供更安全、更可靠的本地通信。Azure Logic Apps provides integration with these services to help provide more secure and reliable on-premises communication.

    • 本地数据网关On-premises data gateway

      Azure 逻辑应用中的许多托管连接器都有助于安全连接到本地系统,如文件系统、SQL、SharePoint 和 DB2。Many managed connectors in Azure Logic Apps facilitate secured connections to on-premises systems, such as File System, SQL, SharePoint, and DB2. 网关通过 Azure 服务总线发送来自加密通道上的本地源的数据。The gateway sends data from on-premises sources on encrypted channels through the Azure Service Bus. 所有流量均源自网关代理的安全出站流量。All traffic originates as secured outbound traffic from the gateway agent. 了解本地数据网关的工作原理Learn how the on-premises data gateway works.

    • 通过 Azure API 管理进行连接Connect through Azure API Management

      Azure API 管理提供本地连接选项,例如站点到站点虚拟专用网络和 ExpressRoute 集成,用于保护代理和与本地系统的通信。Azure API Management provides on-premises connection options, such as site-to-site virtual private network and ExpressRoute integration for secured proxy and communication to on-premises systems. 通过逻辑应用设计器中逻辑应用的工作流,你可以选择 API 管理公开的 API,它提供对本地系统的快速访问。From your logic app's workflow in the Logic App Designer, you can select an API that's exposed by API Management, which provides quick access to on-premises systems.

向出站呼叫添加身份验证Add authentication to outbound calls

HTTP 和 HTTPS 终结点支持各种身份验证。HTTP and HTTPS endpoints support various kinds of authentication. 根据你用来发出出站调用或访问这些终结点的请求的触发器或操作,你可以从不同的身份验证类型范围中进行选择。Based on the trigger or action that you use to make outbound calls or requests that access these endpoints, you can select from varying ranges of authentication types. 若要确保保护逻辑应用处理的任何敏感信息,请使用受保护的参数,并根据需要对数据进行编码。To make sure that you protect any sensitive information that your logic app handles, use secured parameters and encode data as necessary. 有关使用和保护参数的详细信息,请参阅访问参数输入For more information about using and securing parameters, see Access to parameter inputs.

备注

在逻辑应用设计器中,可以在某些触发器和操作中隐藏身份验证属性,你可以在其中指定身份验证类型。In the Logic App Designer, the Authentication property might be hidden on some triggers and actions where you can specify the authentication type. 若要使属性在这些情况下出现,请在 "触发器" 或 "操作" 中打开 "添加新参数" 列表,然后选择 "身份验证"。To make the property appear in these cases, on the trigger or action, open the Add new parameter list, and select Authentication. 有关详细信息,请参阅使用托管身份验证访问权限For more information, see Authenticate access with managed identity.

身份验证类型Authentication type 受以下产品支持Supported by
基本Basic Azure API 管理,Azure 应用服务,HTTP,HTTP + Swagger,HTTP WebhookAzure API Management, Azure App Services, HTTP, HTTP + Swagger, HTTP Webhook
客户端证书Client Certificate Azure API 管理,Azure 应用服务,HTTP,HTTP + Swagger,HTTP WebhookAzure API Management, Azure App Services, HTTP, HTTP + Swagger, HTTP Webhook
Active Directory OAuthActive Directory OAuth Azure API 管理,Azure 应用服务,Azure Functions,http,HTTP + Swagger,HTTP WebhookAzure API Management, Azure App Services, Azure Functions, HTTP, HTTP + Swagger, HTTP Webhook
原材料Raw Azure API 管理,Azure 应用服务,Azure Functions,http,HTTP + Swagger,HTTP WebhookAzure API Management, Azure App Services, Azure Functions, HTTP, HTTP + Swagger, HTTP Webhook
托管的标识Managed identity Azure API 管理,Azure 应用服务,Azure Functions,http,HTTP + Swagger,HTTP WebhookAzure API Management, Azure App Services, Azure Functions, HTTP, HTTP + Swagger, HTTP Webhook

基本身份验证Basic authentication

如果 "基本" 选项可用,请指定以下属性值:If the Basic option is available, specify these property values:

属性(设计器)Property (designer) 属性(JSON)Property (JSON) 必需Required Value 说明Description
身份验证Authentication type Yes 基本Basic 要使用的身份验证类型The authentication type to use
用户名Username username Yes <用户名><user-name> 用于对目标服务终结点访问进行身份验证的用户名The user name for authenticating access to the target service endpoint
密码Password password Yes <密码><password> 用于对目标服务终结点访问进行身份验证的密码The password for authenticating access to the target service endpoint

使用受保护的参数处理和保护敏感信息(例如,在用于自动部署的 Azure 资源管理器模板中)时,可以在运行时使用表达式来访问这些参数值。When you use secured parameters to handle and protect sensitive information, for example, in an Azure Resource Manager template for automating deployment, you can use expressions to access these parameter values at runtime. 此示例 HTTP 操作定义将身份验证 type 指定为 Basic 并使用parameters ()函数获取参数值:This example HTTP action definition specifies the authentication type as Basic and uses the parameters() function to get the parameter values:

"HTTP": {
   "type": "Http",
   "inputs": {
      "method": "GET",
      "uri": "@parameters('endpointUrlParam')",
      "authentication": {
         "type": "Basic",
         "username": "@parameters('userNameParam')",
         "password": "@parameters('passwordParam')"
      }
  },
  "runAfter": {}
}

客户端证书身份验证Client Certificate authentication

如果客户端证书选项可用,请指定以下属性值:If the Client Certificate option is available, specify these property values:

属性(设计器)Property (designer) 属性(JSON)Property (JSON) 必需Required Value 说明Description
身份验证Authentication type Yes 客户端证书Client Certificate
or
ClientCertificate
安全套接字层 (SSL) 客户端证书使用的身份验证类型。The authentication type to use for Secure Sockets Layer (SSL) client certificates. 虽然支持自签名证书,但不支持用于 SSL 的自签名证书。While self-signed certificates are supported, self-signed certificates for SSL aren't supported.
PfxPfx pfx Yes <编码-pfx-文件内容><encoded-pfx-file-content> 个人信息交换 (PFX) 文件中的 base64 编码内容The base64-encoded content from a Personal Information Exchange (PFX) file

若要将 PFX 文件转换为 base64 编码格式,可以通过执行以下步骤来使用 PowerShell:To convert the PFX file into base64-encoded format, you can use PowerShell by following these steps:

1. 将证书内容保存到变量:1. Save the certificate content into a variable:

$pfx_cert = get-content 'c:\certificate.pfx' -Encoding Byte

2. 通过使用 ToBase64String() 函数来转换证书内容,并将该内容保存到文本文件中:2. Convert the certificate content by using the ToBase64String() function and save that content to a text file:

[System.Convert]::ToBase64String($pfx_cert) | Out-File 'pfx-encoded-bytes.txt'

密码Password password No <pfx 密码-文件><password-for-pfx-file> 用于访问 PFX 文件的密码The password for accessing the PFX file

使用受保护的参数处理和保护敏感信息(例如,在用于自动部署的 Azure 资源管理器模板中)时,可以在运行时使用表达式来访问这些参数值。When you use secured parameters to handle and protect sensitive information, for example, in an Azure Resource Manager template for automating deployment, you can use expressions to access these parameter values at runtime. 此示例 HTTP 操作定义将身份验证 type 指定为 ClientCertificate 并使用parameters ()函数获取参数值:This example HTTP action definition specifies the authentication type as ClientCertificate and uses the parameters() function to get the parameter values:

"HTTP": {
   "type": "Http",
   "inputs": {
      "method": "GET",
      "uri": "@parameters('endpointUrlParam')",
      "authentication": {
         "type": "ClientCertificate",
         "pfx": "@parameters('pfxParam')",
         "password": "@parameters('passwordParam')"
      }
   },
   "runAfter": {}
}

有关使用客户端证书身份验证保护服务的详细信息,请参阅以下主题:For more information about securing services by using client certificate authentication, see these topics:

Azure Active Directory OAuth 身份验证Azure Active Directory OAuth authentication

如果Active Directory OAuth选项可用,请指定以下属性值:If the Active Directory OAuth option is available, specify these property values:

属性(设计器)Property (designer) 属性(JSON)Property (JSON) 必需Required Value 说明Description
身份验证Authentication type Yes Active Directory OAuthActive Directory OAuth
or
ActiveDirectoryOAuth
要使用的身份验证类型。The authentication type to use. 逻辑应用当前遵循OAuth 2.0 协议Logic Apps currently follows the OAuth 2.0 protocol.
无权Authority authority No <URL-for-authority-token-issuer><URL-for-authority-token-issuer> 提供身份验证令牌的颁发机构的 URL。The URL for the authority that provides the authentication token. 此值默认为 https://login.windows.netBy default, this value is https://login.windows.net.
组织Tenant tenant Yes <tenant-ID><tenant-ID> Azure AD 租户的租户 IDThe tenant ID for the Azure AD tenant
受众Audience audience Yes <resource-to-authorize><resource-to-authorize> 要用于授权的资源,例如 https://management.core.windows.net/The resource that you want to use for authorization, for example, https://management.core.windows.net/
客户端 IDClient ID clientId Yes <client-ID><client-ID> 请求授权的应用的客户端 IDThe client ID for the app requesting authorization
凭据类型Credential Type credentialType Yes 证书Certificate
or
机密Secret
客户端用于请求授权的凭据类型。The credential type that the client uses for requesting authorization. 此属性和值不会出现在逻辑应用的基础定义中,而是确定为所选凭据类型显示的属性。This property and value don't appear in your logic app's underlying definition, but determines the properties that appear for the selected credential type.
机密Secret secret 是,但仅适用于 "机密" 凭据类型Yes, but only for the "Secret" credential type <客户端-机密><client-secret> 用于请求授权的客户端密码The client secret for requesting authorization
PfxPfx pfx 是,但仅用于 "证书" 凭据类型Yes, but only for the "Certificate" credential type <编码-pfx-文件内容><encoded-pfx-file-content> 个人信息交换 (PFX) 文件中的 base64 编码内容The base64-encoded content from a Personal Information Exchange (PFX) file
密码Password password 是,但仅用于 "证书" 凭据类型Yes, but only for the "Certificate" credential type <pfx 密码-文件><password-for-pfx-file> 用于访问 PFX 文件的密码The password for accessing the PFX file

使用受保护的参数处理和保护敏感信息(例如,在用于自动部署的 Azure 资源管理器模板中)时,可以在运行时使用表达式来访问这些参数值。When you use secured parameters to handle and protect sensitive information, for example, in an Azure Resource Manager template for automating deployment, you can use expressions to access these parameter values at runtime. 此示例 HTTP 操作定义将身份验证 type 指定为 ActiveDirectoryOAuth,将凭据类型指定为 Secret,并使用parameters ()函数获取参数值:This example HTTP action definition specifies the authentication type as ActiveDirectoryOAuth, the credential type as Secret, and uses the parameters() function to get the parameter values:

"HTTP": {
   "type": "Http",
   "inputs": {
      "method": "GET",
      "uri": "@parameters('endpointUrlParam')",
      "authentication": {
         "type": "ActiveDirectoryOAuth",
         "tenant": "@parameters('tenantIdParam')",
         "audience": "https://management.core.windows.net/",
         "clientId": "@parameters('clientIdParam')",
         "credentialType": "Secret",
         "secret": "@parameters('secretParam')"
     }
   },
   "runAfter": {}
}

原始身份验证Raw authentication

如果原始选项可用,则在必须使用不遵循OAuth 2.0 协议身份验证方案时,可以使用此身份验证类型。If the Raw option is available, you can use this authentication type when you have to use authentication schemes that don't follow the OAuth 2.0 protocol. 利用此类型,您可以手动创建与传出请求一起发送的授权标头值,并在您的触发器或操作中指定该标头值。With this type, you manually create the authorization header value that you send with the outgoing request, and specify that header value in your trigger or action.

例如,下面是遵循OAuth 1.0 协议的 HTTPS 请求的示例标头:For example, here is a sample header for an HTTPS request that follows the OAuth 1.0 protocol:

Authorization: OAuth realm="Photos",
   oauth_consumer_key="dpf43f3p2l4k3l03",
   oauth_signature_method="HMAC-SHA1",
   oauth_timestamp="137131200",
   oauth_nonce="wIjqoS",
   oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
   oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"

在支持原始身份验证的触发器或操作中,指定以下属性值:In the trigger or action that supports raw authentication, specify these property values:

属性(设计器)Property (designer) 属性(JSON)Property (JSON) 必需Required Value 说明Description
身份验证Authentication type Yes RawRaw 要使用的身份验证类型The authentication type to use
Value value Yes <authorization-标头值><authorization-header-value> 要用于身份验证的授权标头值The authorization header value to use for authentication

使用受保护的参数处理和保护敏感信息(例如,在用于自动部署的 Azure 资源管理器模板中)时,可以在运行时使用表达式来访问这些参数值。When you use secured parameters to handle and protect sensitive information, for example, in an Azure Resource Manager template for automating deployment, you can use expressions to access these parameter values at runtime. 此示例 HTTP 操作定义将身份验证 type 指定为 Raw,并使用parameters ()函数获取参数值:This example HTTP action definition specifies the authentication type as Raw, and uses the parameters() function to get the parameter values:

"HTTP": {
   "type": "Http",
   "inputs": {
      "method": "GET",
      "uri": "@parameters('endpointUrlParam')",
      "authentication": {
         "type": "Raw",
         "value": "@parameters('authHeaderParam')"
      }
   },
   "runAfter": {}
}

托管标识身份验证Managed identity authentication

如果 "托管标识" 选项可用,则逻辑应用可以使用系统分配的标识,也可以使用单个手动创建的用户分配标识来验证对其他 Azure Active Directory (Azure AD)租户中的资源的访问权限,而无需登录。If the Managed Identity option is available, your logic app can use the system-assigned identity or a single manually-created user-assigned identity for authenticating access to resources in other Azure Active Directory (Azure AD) tenants without signing in. 由于无需提供或轮换机密,因此 Azure 会为你管理此标识,并且会帮助保护凭据。Azure manages this identity for you and helps secure your credentials because you don't have to provide or rotate secrets. 详细了解支持 Azure AD 身份验证的托管标识的 Azure 服务Learn more about Azure services that support managed identities for Azure AD authentication.

  1. 在逻辑应用可以使用托管标识之前,请遵循在Azure 逻辑应用中使用托管标识对 azure 资源的访问权限进行身份验证中的步骤。Before your logic app can use a managed identity, follow the steps in Authenticate access to Azure resources by using managed identities in Azure Logic Apps. 这些步骤将在逻辑应用中启用托管标识,并设置该标识对目标 Azure 资源的访问权限。These steps enable the managed identity on your logic app and set up that identity's access to the target Azure resource.

  2. 在 Azure 函数可以使用托管标识之前,请先为 azure 函数启用身份验证Before an Azure function can use a managed identity, first enable authentication for Azure functions.

  3. 在要使用托管标识的触发器或操作中,指定以下属性值:In the trigger or action where you want to use the managed identity, specify these property values:

    属性(设计器)Property (designer) 属性(JSON)Property (JSON) 必需Required Value 说明Description
    身份验证Authentication type Yes 托管的标识Managed Identity
    or
    ManagedServiceIdentity
    要使用的身份验证类型The authentication type to use
    托管的标识Managed Identity identity Yes * 系统分配的托管标识* System Assigned Managed Identity
    or
    SystemAssigned

    * <用户分配的标识-名称>* <user-assigned-identity-name>

    要使用的托管标识The managed identity to use
    受众Audience audience Yes <目标资源 ID><target-resource-ID> 要访问的目标资源的资源 ID。The resource ID for the target resource that you want to access.

    例如,https://storage.azure.com/ 使得用于身份验证的访问令牌对所有存储帐户都有效。For example, https://storage.azure.com/ makes the access tokens for authentication valid for all storage accounts. 但是,你还可以为特定的存储帐户指定根服务 URL,如 https://fabrikamstorageaccount.blob.core.windows.netHowever, you can also specify a root service URL, such as https://fabrikamstorageaccount.blob.core.windows.net for a specific storage account.

    注意:某些触发器或操作中可能隐藏了受众属性。Note: The Audience property might be hidden in some triggers or actions. 若要使此属性可见,请在 "触发器" 或 "操作" 中打开 "添加新参数" 列表,然后选择 "受众"。To make this property visible, in the trigger or action, open the Add new parameter list, and select Audience.

    重要提示:请确保此目标资源 ID 与 Azure AD 预期的值完全匹配,其中包括所有必需的尾随斜杠。Important: Make sure that this target resource ID exactly matches the value that Azure AD expects, including any required trailing slashes. 因此,所有 Azure Blob 存储帐户的 https://storage.azure.com/ 资源 ID 都需要尾部斜杠。So, the https://storage.azure.com/ resource ID for all Azure Blob Storage accounts requires a trailing slash. 不过,特定存储帐户的资源 ID 不需要尾部斜杠。However, the resource ID for a specific storage account doesn't require a trailing slash. 若要查找这些资源 Id,请参阅支持 Azure AD 的 Azure 服务To find these resource IDs, see Azure services that support Azure AD.

    使用受保护的参数处理和保护敏感信息(例如,在用于自动部署的 Azure 资源管理器模板中)时,可以在运行时使用表达式来访问这些参数值。When you use secured parameters to handle and protect sensitive information, for example, in an Azure Resource Manager template for automating deployment, you can use expressions to access these parameter values at runtime. 此示例 HTTP 操作定义将身份验证 type 指定为 ManagedServiceIdentity 并使用parameters ()函数获取参数值:This example HTTP action definition specifies the authentication type as ManagedServiceIdentity and uses the parameters() function to get the parameter values:

    "HTTP": {
       "type": "Http",
       "inputs": {
          "method": "GET",
          "uri": "@parameters('endpointUrlParam')",
          "authentication": {
             "type": "ManagedServiceIdentity",
             "identity": "SystemAssigned",
             "audience": "https://management.azure.com/"
          },
       },
       "runAfter": {}
    }
    

后续步骤Next steps