Authenticate Azure Function with Azure Web App Using Managed Service Identity
HTML-код
- Опубликовано: 30 июл 2024
- Azure Functions are getting popular, and I start seeing them more at clients. One typical scenario I come across is to authenticate an Azure Function with an Azure Web API. Every time something like this comes up, it means more Azure AD applications, which in turn means more secrets/certificates that need to be managed. But with Managed Service Identity (MSI) feature on Azure, a lot of these secrets and authentication bits can be taken off from our shoulders and left to the platform to manage for us.
Blog Post: www.rahulpnath.com/blog/how-t...
Managed Service Identity: docs.microsoft.com/en-us/azur... 
Хобби
Rahul, The way you show the differences is fantastic. Good job!
Thank you, happy to hear that and glad you like it! 😀
Seems that I've found a hidden gem! Thanks for the explenation, was very clear and to the point!
Awesome - glad you liked it!
Very well explained and good code demo! Keep it up!
Souciance Eqdam Rashti Thank you - glad you liked it😀
This is a well prepared short video. Thank you.
Glad it was helpful!
Amazing job explaining Rahul :)
Thank you Ashish!
Thanks man after a long wait i get this video
Thanks for the comment - glad it helps!
@@RahulNath do you have the sample code
@@ChandanKumar-es7bz Have you checked the associated blog post? It has the relevant code www.rahulpnath.com/blog/how-to-authenticate-azure-function-with-azure-web-app-using-managed-service-identity/
Let know if that helps
Thanks, needed this.
Glad it helped!
Thanks! very helpful!
Thank you for the comment and glad you liked it!
Thanks man
Regarding the auth level settings for the function. I notice you have it set to function. When using managed identity, does it matter which level is used? Also, do we need to utilize the authentication blade, or does the Azure infra take care of that for us?
Well explained !!!
Thank you!
I have some confusion on it.Please cleare it.Generally I know herein this case case i need two app registration.one for web api another for azure function.bt here we have used one app registration,the one we have configured in web api..same one we have used in function app to call the web api..can you please explain why?.If I create another app registration for function app.and that function app client id if I use to call the web api is that correct?
I get the following Error any Idea? Parameters: Connection String: [No connection string specified], Resource: 0a200f72-48d3-4a8d-b7ec-b43b6b879984, Authority: . Exception Message: Tried the following 3 methods to get an access token, but none of them worked. This is only a part of the exception
Looks like it is not able to make a successful connection using Managed Identity. Can you check this post and associated video for more details on Managed Identity and setting it up www.rahulpnath.com/blog/defaultazurecredential-from-azure-sdk/
Let me know if you have additional questions.
I got same error. How did you get it resolved?
Excellent video
Thank you very much!
Rahul your video is very helpful
Very happy to hear that! Hope you are liking the other videos.
Thanks for this video Rahul. Do you have video for that web api? I want to know how it is validating this token and how it was registered in AAD?
Thank you Vinoth. Is this what you are looking for ?
www.rahulpnath.com/blog/defaultazurecredential-from-azure-sdk/
www.rahulpnath.com/blog/azure-managed-service-identity-and-local-development/
If not , could you please clarify your question.
@@RahulNath Thanks Rahul for your reply. I will come back after working it out. Thanks for sharing this link
excellent video
Glad you liked it!
Azure Service Token Provider is working only after deploying into Azure. Getting error while running in local machine. Can you please tell how to get token in local development and in postman?
To get ManagedIdentity working on a local machine there are a couple of ways. I have written about it here in this blog post-www.rahulpnath.com/blog/azure_managed_service_identity_and_local_development/
DefaultAzureCredential is the new library to be used when getting ManagedIdentity token. You can read more about it here www.rahulpnath.com/blog/defaultazurecredential_from_azure_sdk/
I also have videos on the same, which are linked in the blog posts. Let me know if that helps and if you have any further questions.
Im having big troubles trying to get a valid accesstoken using a user assigned identity in azure functions to call my api which is an appservice. I get a token out of it but I cant access the api, it says neither scope or claim was found in token. Any idea?
Did you try inspecting the token in jwt.io to see what it contains? Can you provide more details on your setup? I'm assuming you don't have any Azure function in the mix (just checking since the comment is under this video 😀)
@@RahulNath Thanks for the video, well explained! However, I have the exact same problem as Fatgamer. Is there a way that i can email you the problem? The JWT doesn't seem to have the scope or claim so obviously the API is rejecting it.
@@arunampk Hard to tell what the problem is - Did you try inspecting the token using jwt.io? Sometimes it might take a few minutes for the claims to reflect.
@@RahulNath The bit which is missing in this video is the AD set up i.e. how to do app registrations etc. I feel i would have been amazing i you shown end to end. Any thoughts Rahul?
@@arunampk Did you get a chance to check this blog post? www.rahulpnath.com/blog/how-to-authenticate-azure-function-with-azure-web-app-using-managed-service-identity/
It explains the AD Setup as well, which is covered as part of a separate video
Nice demo. You have done changes in Functionapp by enabling System assigned identity and Getting the token for a client id. How is the api's secured? Anybody can enable identity and generate token using client id and he/she can invoke api?
Thanks Vivek. The API is secured using Managed Identities. Azure is managing the Id/Secret for us in this case. You can read more about it here docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview?WT.mc_id=AZ-MVP-5003875. Anyone who has access to your azure subscription and has the appropraite access to your resources only will be able to do this. Let know if that answers your question and need further info
@@RahulNath I have some follow up questions :-
1. How to provide access to functions apps and other backend and web API's, present in different RGs ?
2. How to provide access to functions apps and other backend and web API's, present in different subscriptions ?
3. Suppose if I have 2 functions Apps(F1 and F2) , for both I have configured System MI as enabled, I want only F1 to access my API and not F2 , how can I control this ?
@@vasuroy6214 Hey Vasu, Within the same tenant you should be able to use Managed Identities. If you are looking at cross tenant then you will not be able to use Managed Identity but will have to use app tokens/Identity Server depending on your setup.
Hi Rahul, I am facing a prb in azure functions .. i have installed vs 2019 selecting the azure tools from the installer . I have dot net framework sdk from4.6.1 till 4.8 installed as well. I am able to successfully create, run and debug locally azure functions created using dot net core . I’m the solution explorer I can see the azure function icon and it runs perfectly fine . But with dot net framework it doesn’t. It creates some sort of class project which I can’t run locally .. any idea what I am missing here ?? Please lemme know it will be great help
Hey Shrutika , Any reason you are trying to run it with .NET framework instead of core? This link will help you with the .NET versions and the support for Azure Functions
docs.microsoft.com/en-us/azure/azure-functions/functions-versions?tabs=in-process%2Cv4&pivots=programming-language-csharp&WT.mc_id=AZ-MVP-5003875
Think you will need to be on 1.x function runtime to be able to run it. Let me know if that helps or if you have additional questions.
@@RahulNath lemme try this and get back to you
@@RahulNath I checked the csproj file its v1 net6.0
v4 . Funny part is the same setup runs on my collegues laptop which i set up. not sure whats issue in my system
@@TheShrutika What issue do you see in yours?
Can I attach screenshots somewhere !? So it can be easily understood
Explained very well and I followed all steps for MSI but getting the error of unauthorized. Can you plz guide me where can be issue?
Glad you liked it. Sometimes it takes around 10-15 minutes to reflect. Are you still facing the same error? You can console log the auth token and inspect it in jwt.io/ to check if everything is set up correctly. In case you didn't see it, there is an associated blog post here too www.rahulpnath.com/blog/how-to-authenticate-azure-function-with-azure-web-app-using-managed-service-identity/
Can you double check all your steps and let know if you are still facing the issue?
@@RahulNath Thanks for replying. I am getting access token using MSI but while calling api from function app, I am getting unauthorized and not returning any value from api.
@@RahulNath It worked for me now.. I forgot to add "app.UseAuthentication();" in web api's startup file. Once again thanks !
@@sawarkarashish Awesome glad you sorted it out!
@@sawarkarashish Thanks, this was the issue and was able to run through the steps smoothly. Thanks for the video @Rahul
How to debug it locally?
Which part are you specifically looking for to debug locally? I did write about Managed Identity local development here www.rahulpnath.com/blog/azure-managed-service-identity-and-local-development/
when it being hard coded it defeated the purpose of security.
Sorry Rajesh. didn’t understand. what’s hard coded ?
@@RahulNath when see it @3.13 (video time) client secret has been hard coded over here and on 6.38, after removing, its open to use by anyone.
@@Rajeshsingh-ws5th Which is the whole premise of the video. Continue watching and I show you how to remove needing any secrets. Please hear at 4:35 . Keen, you hear your thoughts.
Also please watch the introduction where I set the context on the video 0:27. I first show the normal way of using it (the client and secret will be moved to config file 4:35 and for demo purposes is shown in the code) and then refactor to use Managed Identity where you don't need any kind of auth and Azure infra takes care of it for you. Hope that clears your question. Happy to help if you have more questions.