azure-functions-core-tools icon indicating copy to clipboard operation
azure-functions-core-tools copied to clipboard

Published 20 hours ago verified publisher icon Azure

Support publish when using ManagedIdentity for AzureWebJobsStorage and Run From Package = 1

Open pragnagopa opened this issue 4 years ago • 11 comments

Tracking item for "secretless" work. This needs to addressed in Core Tools publish flow for all the skus

  • Windows Dedicated/EP/Consumption
  • Linux Dedicated/EP
  • Linux Consumption

Currently clients upload locally built app content blobs to storage using the connection string specified in AzureWebjobsStorage. When running in secretless mode, this appsetting will not be present.

TODO: Need to figure out a design to address this via Kudu or Client Tooling changes

pragnagopa avatar Aug 13 '21 16:08 pragnagopa

cc @balag0 @mattchenderson

@fabiocav / @AnatoliB - let's discuss offline to find an owner for this WI

pragnagopa avatar Aug 13 '21 16:08 pragnagopa

@pragnagopa do you plan on adding more context here? I'll move this to triaged in the meantime as the scope of the work here isn't clear.

fabiocav avatar Aug 18 '21 20:08 fabiocav

@fabiocav - added more details and assigned to Sprint 108 to find an owner. Thanks!

pragnagopa avatar Aug 19 '21 14:08 pragnagopa

cc @karshinlin as FYI

pragnagopa avatar Aug 19 '21 14:08 pragnagopa

Related issues:

  • Azure/Azure-Functions#2222

pragnagopa avatar Aug 19 '21 16:08 pragnagopa

If a Function App uses Azure Files + ManagedIdentity - remote build will not work as mounting Azure Files with MangedIdentity is not supported yet. @mattchenderson - please add related work item on storage for this.

pragnagopa avatar Aug 19 '21 19:08 pragnagopa

Adding notes from offline conversation with @balag0

When not using Azure Files but using Managed Identity for AzureWebJobsStorage

az functionapp deployment should default to remote build. As the app is not using Azure Files, if using Run from package =1, content will upload to data\sitePackages - Windows Consumption, Dedicated, Linux Dedicated.

When using Azure Files but using Managed Identity for AzureWebJobsStorage

  • Remote build does not work without key vault references or full connection string. This is currently blocked on Azure Files supporting mounting vis Managed Identity.

pragnagopa avatar Aug 19 '21 19:08 pragnagopa

Work involved

  • Publish flow should detect Managed Identity is being used for AzureWebJobsStorage and default to remote build --> Note this will only work if the App is not using Azure Files + Managed Identity

pragnagopa avatar Aug 19 '21 19:08 pragnagopa

@pragnagopa -- is this something that you want assigned to the Runtime team? Or did you have someone in mind to take this item?

brettsam avatar Sep 01 '21 20:09 brettsam

@pragnagopa we may need to sync with @AnatoliB for assignment here (or someone on the team while he is OOF). I'll follow up offline.

fabiocav avatar Sep 15 '21 20:09 fabiocav

Any update to provide ?

jbpaux avatar Sep 13 '22 08:09 jbpaux