Support for Azure Managed Service Identities in EventHub (and other) triggers

In Event Hub, I can add my Function App's MSI as a data reader, but in the function I cannot use trigger bindings to read from the queue without using a SecureAccess Key. We are trying to go password free wherever possible, and Azure has been promoting this course of action, so why do we need secret keys for reading from the queue? It then forces us to create and share a secret key for partner teams to read from our queue, rather than just permissioning them in Event Hub.

215 votes

Ben Cassell shared this idea · Jun 13, 2019 · Flag idea as inappropriate… · Admin →

planned ·

AdminAzure App Service team (Product Owner, Microsoft Azure) responded · Sep 28, 2020

We don’t have an exact timeline for this, but this is something we’re eager to light up and have some preliminary work underway for. This will likely show up for Storage first, but messaging services like Event Hub would be shortly after.

Show previous admin responses (2)

11 comments

An error occurred while saving the comment

Tolga Kavukcu commented · June 30, 2021 5:30 AM · Flag as inappropriate

This will remove a lot of operational problems around SAS tokens. Please prioritize

Submitting...
Anonymous commented · April 20, 2021 10:08 AM · Flag as inappropriate

Any ETA for this feature to be released?

Submitting...
andyb commented · October 29, 2020 9:59 AM · Flag as inappropriate

Managed ID support for service bus triggers would be really useful for us.

Submitting...
David Smith (US) commented · September 16, 2020 3:59 PM · Flag as inappropriate

How does this -still- remain unplanned? It is claimed that the feature is "still very much of interest" but the complete lack of progress demonstrates otherwise.

Submitting...
Daniel Kling commented · September 2, 2020 12:04 PM · Flag as inappropriate

Please also consider supporting using appId authentication as part of this.

Submitting...
Morrolan commented · July 15, 2020 7:13 PM · Flag as inappropriate

Since this is so easy to support (as was mentioned it was unintentionally working at one point), why is this not implemented already? It is puzzling to me that every resource in Azure has not supported role based authentication from inception.

Submitting...
Ben Dursley commented · May 22, 2020 4:22 AM · Flag as inappropriate

Would love to have this for Service Bus Triggers!

Submitting...
Piotr commented · April 6, 2020 6:33 AM · Flag as inappropriate

Hi Azure App Service team.

I just tested it with Azure functions and it still. In my project I see it references Microsoft.Azure.ServiceBus 4.1.1. So will this break in future?

Submitting...
AdminAzure App Service team (Product Owner, Microsoft Azure) commented · March 26, 2020 12:52 PM · Flag as inappropriate

Please note that the behavior captured in the post by Arturo was considered unintentional from the SDK team and removed in a later version update. We are working with them to make this formally supported, but right now the instructions in that post may no longer work.

Submitting...
Pete@Qualitas commented · March 4, 2020 12:36 AM · Flag as inappropriate

Interested in this across the board, my current need is Storage Queue and SB Subscription Triggers...
(for Queue) just needs to take a TokenCredential and QueueUri as per Azure.Storage.Queues.QueueClient constructor.

Submitting...
Joey Eng commented · October 22, 2019 4:32 PM · Flag as inappropriate

Thanks, Arturo!

Submitting...