Azure-webjobs-sdk: use Managed service identity with service bus

Created on 28 May 2019  路  6Comments  路  Source: Azure/azure-webjobs-sdk

Hi,
I'm trying to use managed service identity with Azure functions with Azure service bus queues as the trigger. However, it looks like Azure functions do not currently support integration with managed system identity.

Repro steps

Provide the steps required to reproduce the problem

  1. Create a Function in Azure with Azure service bus as trigger

Expected behavior

Provide a description of the expected behavior.
Expected to see managed service identity to authenticate to azure service bus without having to specify connection string.

Actual behavior

The function requires us to specify namespace and policy then it proceeds to download the connection string. There is no way to specify that we want to use managed service identity instead of connection string

Known workarounds

Use connection strings based authentication

Related information

Provide any related information

  • Package version
  • Links to source
Feature
Source
picture arajbanshi
👍4

Most helpful comment

Is there anything in the roadmap for service bus trigger to support managed identity natively?

picture arajbanshi on 4 Jun 2019
👍2

All 6 comments

Another workaround, is to store the connection strings in key vault and use managed service identity to with the key vault. Then you can add a key vault provider to your configuration. Using the new DI pattern, you can create a singleton of the configuration and setup a scheduled trigger to refresh the key vault settings. I actually am finishing up a blog that proves this pattern.

chris-rogala picture chris-rogala on 1 Jun 2019

I鈥檓 also interested by this feature but I don鈥檛 figure out how you can use a KeyVault with a trigger.
Each trigger has a "聽connectionstring " attribute and in the source code I didn鈥檛 see something about managed identity.

Sbou picture Sbou on 3 Jun 2019

It鈥檚 pretty simple. Using the new DI, register a singleton of IConfiguration. Register Key Vault (https://docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration) as a provider. Store the connection string in your secrets and grant the function access using either managed identity or a certificate.

chris-rogala picture chris-rogala on 3 Jun 2019
👍1

Ok. I got it. You inject in the merged configuration the connection string and in the trigger it鈥檚 just a reference.

Thank you very much

Sbou picture Sbou on 3 Jun 2019

Is there anything in the roadmap for service bus trigger to support managed identity natively?

arajbanshi picture arajbanshi on 4 Jun 2019
👍2

There is a uservoice issue tracking this here: https://feedback.azure.com/forums/355860-azure-functions/suggestions/37907848-support-for-azure-managed-service-identities-in-ev

Also see this comment: https://github.com/MicrosoftDocs/azure-docs/issues/34826#issuecomment-510005304.

This work is not planned yet and we have no ETA.

brettsam picture brettsam on 25 Jul 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lopezbertoni picture lopezbertoni  路  4Comments
TheeJamesLee picture TheeJamesLee  路  3Comments
Rafaelki picture Rafaelki  路  3Comments
mathewc picture mathewc  路  5Comments
mslugx picture mslugx  路  3Comments