-
Notifications
You must be signed in to change notification settings - Fork 358
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Support Managed Service Identity for Storage connections #2109
Comments
Any update on this one? |
The above code fails for me as the StorageCredentails does not have an AccountName when created with a Token Credential. This would work if we could approve Pull Request #2000 |
A year had passed... |
I want to try out the proposed workaround of @NullMDR but I am to inexperienced to actually apply it properly. Unfortunately the information in the code snippet provided, I don't know where to actually implement it. Is this program.cs or function.cs? Sorry for the lack of knowledge.. |
Nevermind the above, it appears I have not read thoroughly enough. |
FYI, this is working for Service Bus and Event Hub. Jeff Hollan, principal pm on the azure functions team informed on the reason why this is on twitter |
Hi, my team is still looking for official MSI support in the SDK. Has there been any update on this issue? |
We are looking for official MSI support to get rid of storage connection string for WebJobs. any update on this issue? |
After a long search I found out it is now possible by just adding some settings in your appsettings.json:
|
Did you find this in the documentation? |
Found it in the azure functions docs: |
it works for me using the following settings in "AzureWebJobsStorage": {
"accountName": "moxycpsa"
// the following 2 lines need to be commented out in local dev mode.
// Otherwise, the Microsoft.Azure.WebJobs.Extensions.Storage extension will
// try only to connect to MSI service ignoring local windows/azcli creds.
// ONLY ENABLE THE FOLLOWING IN PROD ENV
//"credential": "managedidentity",
//"clientId": ""
} However, if private static string BuildAzureStorageConnectionString(IConfiguration config)
{
var accountName = config.GetValue<string>("AzureWebJobsStorage:accountName");
var subscription = config.GetValue<string>("AzureWebJobsStorage:subscription");
var resourceGroup = config.GetValue<string>("AzureWebJobsStorage:resourceGroup");
var clientId = config.GetValue<string?>("AzureWebJobsStorage:clientId", default);
var creds = new DefaultAzureCredential(new DefaultAzureCredentialOptions
{
ManagedIdentityClientId = clientId,
});
var management = new ArmClient(creds);
Console.WriteLine($"[{DateTime.UtcNow.ToString("u")}]\tGetting storage keys...");
var account = management.GetStorageAccount(StorageAccount.CreateResourceIdentifier(subscription, resourceGroup, accountName));
var keys = account.GetKeys();
var key = keys.Value.Keys.First(k => k.Permissions == KeyPermission.Full).Value;
Console.WriteLine($"[{DateTime.UtcNow.ToString("u")}]\tStorage key retrieved.");
return $"DefaultEndpointsProtocol=https;AccountName={accountName};AccountKey={key};EndpointSuffix=core.windows.net";
} |
Please provide a succinct description of the issue.
Repro steps
Currently Azure Storage supports Managed Service Identity. But azure webjob sdk only spports connection string for storage account. It would be great that webjob sdk support MSI.
Known workarounds
I've found some workarounds by inject storage account on registering. First I need to generate the CloudStorageAccount by MSI in advance. Then, there are two services I need to inject:
I'm still looking for official MSI support.
The text was updated successfully, but these errors were encountered: