Azure-cli: Add support for User Assigned Identity for functionapp and webapp

Created on 9 Jul 2019  路  18Comments  路  Source: Azure/azure-cli

Is your feature request related to a problem? Please describe.
Add support for user assigned identity

Describe the solution you'd like

Describe alternatives you've considered
Portal

Additional context
Add any other context or screenshots about the feature request here.

App Services Functions Functions-cli Service Attention Web Apps
Source
picture ahmedelnably
👍3

All 18 comments

cc/ @ankitkumarr @panchagnula @mattchenderson @Hamster-Huey

ahmedelnably picture ahmedelnably on 9 Jul 2019

Reported by a user: https://twitter.com/codehova/status/1148061808592187392

ahmedelnably picture ahmedelnably on 9 Jul 2019

I think we understand the fix that is needed here.

We need to add the --identities parameter and an enum to list [System|User]

btardif picture btardif on 15 Jul 2019

Moving this by a sprint

panchagnula picture panchagnula on 7 Aug 2019

@btardif I moved this to backlog - since we don't have time or resources to work on this currently - something we need to look at during our planning.

panchagnula picture panchagnula on 28 Aug 2019

@ahmedelnably we don't have an ETA on this -if there is an urgency for this, this needs to be reassigned. Thank you.

panchagnula picture panchagnula on 20 Sep 2019

@mattchenderson for FYI

ahmedelnably picture ahmedelnably on 20 Sep 2019

+1 would love for azure cli to not be months out of sync with portal and arm capabilities 馃槄

Jarlotee picture Jarlotee on 18 Nov 2019
👍1

Any update on this on in 2020?

oliviervaillancourt picture oliviervaillancourt on 24 Jan 2020

Would be great to bump this up. Not having this breaks the CLI-only flow. Dev is required to switch context to the portal, ARM., or use the workaround below.

jongio picture jongio on 31 Jan 2020

Here's a workaround:

  1. Create the user assigned identity
az identity create -n {name} -g {resource_group}

https://docs.microsoft.com/en-us/cli/azure/identity?view=azure-cli-latest#az-identity-create

  1. Use az resource list -n {name} to get the resource id

https://docs.microsoft.com/en-us/cli/azure/resource?view=azure-cli-latest#az-resource-list

  1. Use az resource update to directly update the resources assigned identity
az resource update -n {functionappname} -g {resource_group} --resource-type "Microsoft.Web/sites" --set identity="{\"type\": \"UserAssigned\", \"userAssignedIdentities\": {\"<user assigned identity resource path\": {}}}"

Full example:

az resource update -n jongfuncblob2 -g jongrg4 --resource-type "Microsoft.Web/sites" --set identity="{\"type\": \"UserAssigned\", \"userAssignedIdentities\": {\"/subscriptions/-aa79-488b-b37b-d6e892009fdf/resourceGroups/jongrg4/providers/Microsoft.ManagedIdentity/userAssignedIdentities/jonguserassignedmi\": {}}}"

https://docs.microsoft.com/en-us/cli/azure/resource?view=azure-cli-latest#az-resource-update

BIG WARNING WITH THIS: The az resource update command will overwrite whatever you have in that property - so make sure you get the property first, manually merge, and then write the new values.

For example, if you already have a systemAssigned Identity like this:

{
    "id": "/subscriptions/-aa79-488b-b37b-d6e892009fdf/resourceGroups/jongrg4/providers/Microsoft.Web/sites/jongfuncblob2",
    "identity": {
      "principalId": "-24cd-49e9-9441-1edca4c57e07",
      "tenantId": "-86f1-41af-91ab-2d7cd011db47",
      "type": "SystemAssigned",
      "userAssignedIdentities": null
    },
    "kind": "functionapp,linux,container",
    "location": "westus2",
    "managedBy": null,
    "name": "jongfuncblob2",
    "plan": null,
    "properties": null,
    "resourceGroup": "jongrg4",
    "sku": null,
    "tags": {},
    "type": "Microsoft.Web/sites"
  }

And you run the above command to set the userAssigned identity, then you will overwrite that and turn off the system assigned identity.

{
    "id": "/subscriptions/-aa79-488b-b37b-d6e892009fdf/resourceGroups/jongrg4/providers/Microsoft.Web/sites/jongfuncblob2",
    "identity": {
      "principalId": null,
      "tenantId": null,
      "type": "UserAssigned",
      "userAssignedIdentities": {
        "/subscriptions/-aa79-488b-b37b-d6e892009fdf/resourcegroups/jongrg4/providers/Microsoft.ManagedIdentity/userAssignedIdentities/jonguserassignedmi": {
          "clientId": "-3257-4696-a41b-d66d782cd409",
          "principalId": "-634d-4b03-a31b-6fb820709bd8"
        }
      }
    },
    "kind": "functionapp,linux,container",
    "location": "westus2",
    "managedBy": null,
    "name": "jongfuncblob2",
    "plan": null,
    "properties": null,
    "resourceGroup": "jongrg4",
    "sku": null,
    "tags": {},
    "type": "Microsoft.Web/sites"
  }
jongio picture jongio on 31 Jan 2020
👍1

I created a new issue to track the refactoring of --assign-identity and identity assign. https://github.com/Azure/azure-cli/issues/12217

That refactor needs to be completed before this can be implemented.

jongio picture jongio on 14 Feb 2020

Spec:

--assign-identity

When creating a resource the --assign-identity parameter must allow a user to specify whether they want a system-assigned identity and/or one or many user-assigned identities.

We need to add this functionality for

  1. functionapp
  2. appservice
  3. webapp

This behavior should be modeled after the way that az vm create --assign-identity works because it handles the logic correctly.

See the --assign-identity command here: https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#optional-parameters

and its implementation here: https://github.com/Azure/azure-cli/blob/1174a3350fad3f308688fd37c9dacf12b7afa044/src/azure-cli/azure/cli/command_modules/vm/custom.py#L523 in the assign_vm_identity method.

identity assign | remove | list

After a resource is created, the associated identity can be managed via the identity assign command.

This should also be modeled after the way az vm identity works: https://docs.microsoft.com/en-us/cli/azure/vm/identity?view=azure-cli-latest

jongio picture jongio on 10 Mar 2020

We create new app service slots on the fly, and this issue tripped me up today. Microsoft offers the functionality in the Powershell Az modules (https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#add-a-user-assigned-identity), so I assume there is an API for this.

As it is now, our developers and deployment pipelines using something other than Powershell cannot create a slot with the correct identity (to access for example corresponding key vaults). Please introduce a way to assign a UserAssigned identity to an app service or app service slot.

devbeard picture devbeard on 9 Jun 2020

@devbeard You can assign an identity by doing a resource patch ala:

az resource update --ids "/subscriptions/$(subscriptionId)/resourceGroups/$(resourceGroup)/providers/Microsoft.Web/sites/$(AppName)/slots/$(SlotName)" --resource-type "Microsoft.Web/sites" --set identity="{\"type\": \"UserAssigned\", \"userAssignedIdentities\": {\"/subscriptions/$(subscriptionId)/resourceGroups/$(resourceGroup)/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$(IdentityName)\": {}}}"

It isn't pretty, but once you break it down its pretty simple.

da1rren picture da1rren on 9 Jun 2020
👍1

@devbeard this is being worked on, workaround here: https://github.com/Azure/azure-cli/issues/9887#issuecomment-580840084

jongio picture jongio on 9 Jun 2020

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @AzureAppServiceCLI, @antcp.

msftbot[bot] picture msftbot[bot] on 23 Sep 2020

This has been resolved. Please upgrade to latest version of CLI.

jongio picture jongio on 8 Oct 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

seanknox picture seanknox  路  3Comments
rlewkowicz picture rlewkowicz  路  3Comments
binderjoe picture binderjoe  路  3Comments
ahmetb picture ahmetb  路  3Comments
troydai picture troydai  路  3Comments