azure-functions-host icon indicating copy to clipboard operation
azure-functions-host copied to clipboard
verified publisher icon Azure

Fetch a package from Azure Blob Storage using a managed identity only works in consumption plan

Open shinji opened this issue 3 years ago • 3 comments

Fetch a package from Azure Blob Storage using a managed identity only works in consumption plan. Not supported in Basic or Premium tiers.

Documentation reference: https://docs.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package#fetch-a-package-from-azure-blob-storage-using-a-managed-identity https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Cdotnet#using-the-rest-protocol

I suspect it is because the following environment variables are not available in Kudu:

/home>env | grep IDENTITY_*
IDENTITY_ENDPOINT=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
IDENTITY_HEADER=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
/home>env | grep ^MSI
MSI_ENDPOINT=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]
MSI_SECRET=[Managed identity has been configured. This value is not viewable in Kudu but is exposed to the app.]

/home>grep Failed ./LogFiles/*_docker.log | head -1
./LogFiles/2022_06_27_XXXXXX_docker.log:2022-06-27T14:15:12.018Z ERROR - RunFromPackage> Failed to download package from https://XXXXX.blob.core.windows.net/deploy-packages/run-from-package/custom-handler.zip. Return code: 1

/home>env | grep ^WEBSITE_RUN_FROM_PACKAGE
WEBSITE_RUN_FROM_PACKAGE=https://XXXXX.blob.core.windows.net/deploy-packages/run-from-package/custom-handler.zip
WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID=/subscriptions/XXXXX/resourceGroups/XXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/XXXXX

Please provide the following:

  • Timestamp: Mon Jun 27 03:59:43 PM UTC 2022
  • Function App version: 4
  • Region: East US

Expected behavior

Successful deployment from a package from Azure Blob Storage using a managed identity, as when using consumption plan.

Actual behavior

Works only in consumption plan.

Known workarounds

Use the SAS token in WEBSITE_RUN_FROM_PACKAGE.

Related information

Possible related discussions:

https://docs.microsoft.com/en-us/answers/questions/380576/managedidentitycredential-authentication-unavailab.html https://github.com/Azure/azure-sdk-for-python/issues/23406 https://social.msdn.microsoft.com/Forums/azure/en-US/23087180-1820-469d-a771-cff4b6283985/enabling-system-assigned-identity-for-an-app-service-doesnt-populate-msiendpoint-msisecret?forum=windowsazurewebsitespreview

shinji avatar Jun 27 '22 16:06 shinji

Hi @shinji Could you please provide repro steps?

Ved2806 avatar Aug 08 '22 14:08 Ved2806

HI @Ved2806 ,

  1. Create a Linux Service Plan with Basic o Premium tier.
  2. Create a Storage Account and container.
  3. Upload ZIP package with custom handler to container
  4. Create a User-Assigned Managed Identity.
  5. Create following role assignements to User-Assigned Managed Identity in Storage Account: "Storage Blob Data Owner", "Storage Account Contributor", "Storage Queue Data Contributor", "Storage Blob Data Contributor", "Storage Table Data Contributor", "Storage Account Key Operator Service Role", "Reader and Data Access",
  6. Create a Function associated to previously created Service Plan.
  7. Add User-Assigned Managed Identity to Function.
  8. Configure Function to authenticate to Blob Storage APIs using a User-Assigned Managed Identity. WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID= User-Assigned Managed Identity ID
  9. Configure Function with following parameter to run custom handler from a package allocated in Blob Storage Container. WEBSITE_RUN_FROM_PACKAGE= Package URL

Currently results: Function never start correctly.

To make it work just repeat everything and only change to a Linux Service Plan with Consumption tier.

Regards

shinji avatar Aug 09 '22 20:08 shinji

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

ghost avatar Aug 13 '22 22:08 ghost

HI @Ved2806 ,

Create a Linux Service Plan with Basic o Premium tier.
Create a Storage Account and container.
Upload ZIP package with custom handler to container
Create a User-Assigned Managed Identity.
Create following role assignements to User-Assigned Managed Identity in Storage Account:
"Storage Blob Data Owner",
"Storage Account Contributor",
"Storage Queue Data Contributor",
"Storage Blob Data Contributor",
"Storage Table Data Contributor",
"Storage Account Key Operator Service Role",
"Reader and Data Access",
Create a Function associated to previously created Service Plan.
Add User-Assigned Managed Identity to Function.
Configure Function to authenticate to Blob Storage APIs using a User-Assigned Managed Identity.
WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID= User-Assigned Managed Identity ID
Configure Function with following parameter to run custom handler from a package allocated in Blob Storage Container.
WEBSITE_RUN_FROM_PACKAGE= Package URL

Currently results: Function never start correctly.

To make it work just repeat everything and only change to a Linux Service Plan with Consumption tier.

Regards

shinji avatar Aug 17 '22 18:08 shinji