Azure-webjobs-sdk: [Feature Request] Support Managed Identity auth for AzureWebJobsDashboard and AzureWebJobsStorage

Created on 4 Nov 2019  路  5Comments  路  Source: Azure/azure-webjobs-sdk

Currently we setup connection strings for AzureWebJobsStorage, AzureWebJobsDashboard and WEBSITE_CONTENTAZUREFILECONNECTIONSTRING. It would be great if we could give the managed identity for the function or web app permissions to the appropriate storage account and just provide storage account names here.

While there is security benefits around the managed identity, it's also a nice thing around the configuration of say an azure function app where in ARM I currently have the same key retrieval three times as: 

"AzureWebJobsDashboard": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2015-05-01-preview').key1)]",
"AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2015-05-01-preview').key1)]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2015-05-01-preview').key1)]",

For migration, maybe a check for a new configuration variable say ManagedAzureWebJobsStorageAccountName or similar and fallback to storage connection string config and maybe make them mutually exclusive. When this is set, use the managed identity auth and appropriate storage account name from this string config value.

It seems the first place might be in StorageAccountOptions.cs and go from there.

I'd be happy to contribute towards making this happen but open to discussion around it's downsides, implementation guidance etc etc.

picture damienpontifex
👍9

Most helpful comment

I vote to reopen.

picture MisinformedDNA on 16 Feb 2021
👍5

All 5 comments

I put in a PR a while back - I will dust it off and update it again. This works for my scenario where I am running a Function inside K8s using aad-pod-identity - https://github.com/Azure/azure-webjobs-sdk/pull/2344

ross-p-smith picture ross-p-smith on 7 Dec 2019
🎉3

That鈥檚 great @ross-p-smith , has there been any interest in the PR? I鈥檓 curious why the tenant if needs to be specified explicitly - for instance it鈥檚 not required when using KeyVault with Managed Identity.

ericsampson picture ericsampson on 31 Jan 2020

We just were looking for exactly this feature. We're using managed identity for all other cases (DB, Web Apps) in our project, and naturally expected to be able to do the same with web jobs.

NotTheDBA picture NotTheDBA on 10 Apr 2020

This issue has been identified and has been here for a long time and a PR has been raised for the same, hence closing this issue. Please feel free to open a new issue if there are any queries regarding any feature

v-anvari picture v-anvari on 10 Sep 2020

I vote to reopen.

MisinformedDNA picture MisinformedDNA on 16 Feb 2021
👍5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kamranayub picture kamranayub  路  4Comments
lopezbertoni picture lopezbertoni  路  4Comments
techniq picture techniq  路  3Comments
jansoren picture jansoren  路  5Comments
xt0rted picture xt0rted  路  5Comments