Azure Event Grid Using a System-Assigned Managed Identity Example

[simonkurtz-MSFT]

What content needs to be created or modified?

I have looked at the Event Grid binding spec but do not understand which fields are or are not required when using a managed identity.

Describe the solution you'd like

I would love to see an example for an Azure Event Grid binding using a managed identity.

Where should the new material be placed?

I believe it would be best to place it in Event Grid binding spec.

The associated pull request from dapr/dapr, dapr/components-contrib, or other Dapr code repos

Additional context

No additional context - just, thank you!

[hhunter-ms]

@berndverst @ItalyPaleAle - could either of you help with this?

[ItalyPaleAle]

@simonkurtz-MSFT if you want to use this component to receive messages, Managed Identity isn't supported. You need an actual Azure AD service principal.

[simonkurtz-MSFT]

Thank you, @ItalyPaleAle. Do you know whether there's a roadmap item for adding MI?

[ItalyPaleAle]

@simonkurtz-MSFT there isn't :( This component is unusual because we use Azure AD to both:

• Authenticate calls from Dapr when we publish a message
• Authenticate messages from Event Grid

Event Grid works in a "push" model, where the service sends messages to Dapr as webhooks. Dapr <= 1.9 was not authenticating calls at all, so anyone, from anywhere, could have invoked the endpoint we listen on for Event Grid messages and send a message to your application. That's obviously not good (and a security risk).

In Dapr 1.10 we changed the EG components to authenticate calls coming from the service. We do that using Azure AD, as the recommended thing. However that requires an Azure AD application and to follow the steps listed in the docs.