Skip to content

Instantly share code, notes, and snippets.

@JosiahSiegel

JosiahSiegel/function_identity_auth.md

Created April 14, 2022 16:04
Show Gist options
  • Save JosiahSiegel/da568ce60d65953c147dff123690ea87 to your computer and use it in GitHub Desktop.
Save JosiahSiegel/da568ce60d65953c147dff123690ea87 to your computer and use it in GitHub Desktop.
Download ZIP
Function App Identity-based Authentication
Raw
function_identity_auth.md

Function App Identity-based Authentication

Scenario

Access keys are disabled in a storage account that a function app will read/write to.

Function Provisioning

It is important to make sure all the necessary files to test authentication locally are provisioned.

While in VSCode, install the Azure Functions extension and follow either to help lay the appropriate foundation:

  1. Follow the function provisioning instructions.
  2. Enter CTRL+SHIFT+P and select Azure Functions: Create Function....
    • The first run will create a new project with an HTTP trigger function. Run again to create another function with a different trigger (e.g. Blob trigger).

Auth Solutions

Http Trigger

Use DefaultAzureCredential:

  • Java

    DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();
final BlobContainerClientBuilder clientBuilder = new BlobContainerClientBuilder()
        .endpoint(endpoint)
        .containerName(container)
        .credential(defaultCredential);
BlobContainerClient client = clientBuilder.buildClient();

  • Python

    creds = DefaultAzureCredential()

container_service_client = ContainerClient.from_container_url(
    container_url=f"{storage_url}/{container}",
    credential=creds,
)

Blob Trigger

  1. Requires Azure function core tools v4, extension version 5.0.0 or later (Bundle v3.x) and the following app config/local.settings.json settings:

    • "<CONNECTION_NAME_PREFIX>__blobServiceUri": "<blobServiceUri>"
"<CONNECTION_NAME_PREFIX>__queueServiceUri": "<queueServiceUri>"

    If the function app does NOT have the Storage Queue Data Contributor role (just ACL for example), include a connection string to a storage account without blob data to temporarily manage the queue:

    • "<CONNECTION_NAME_PREFIX>__serviceUri": "<blobServiceUri>"
"AzureWebJobsStorage": "@Microsoft.KeyVault(SecretUri=https://pidev-app-kv.vault.azure.net/secrets/functionappsa)"

  2. Local development requires:

  3. Update extension bundle version in host.json:

    {
  "version": "2.0",
  "extensionBundle": {
    "id": "Microsoft.Azure.Functions.ExtensionBundle",
    "version": "[3.3.0, 4.0.0)"
  } 
}

  4. DefaultAzureCredential logic can be replaced with the following IF the function app has the Storage Blob Data Contributor role and is not restricted to just ACL permissions in the storage account: @BlobOutput

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment