Support for Azure Managed Service Identities in EventHub (and other) triggers
In Event Hub, I can add my Function App's MSI as a data reader, but in the function I cannot use trigger bindings to read from the queue without using a SecureAccess Key. We are trying to go password free wherever possible, and Azure has been promoting this course of action, so why do we need secret keys for reading from the queue? It then forces us to create and share a secret key for partner teams to read from our queue, rather than just permissioning them in Event Hub.
Ben Cassell
shared this idea
We don’t have an exact timeline for this, but this is something we’re eager to light up and have some preliminary work underway for. This will likely show up for Storage first, but messaging services like Event Hub would be shortly after.
8 comments
-
David F Smith
commented
How does this -still- remain unplanned? It is claimed that the feature is "still very much of interest" but the complete lack of progress demonstrates otherwise.
-
Daniel Kling
commented
Please also consider supporting using appId authentication as part of this.
-
Morrolan
commented
Since this is so easy to support (as was mentioned it was unintentionally working at one point), why is this not implemented already? It is puzzling to me that every resource in Azure has not supported role based authentication from inception.
-
Ben Dursley
commented
Would love to have this for Service Bus Triggers!
-
Piotr
commented
Hi Azure App Service team.
I just tested it with Azure functions and it still. In my project I see it references Microsoft.Azure.ServiceBus 4.1.1. So will this break in future?
-
Please note that the behavior captured in the post by Arturo was considered unintentional from the SDK team and removed in a later version update. We are working with them to make this formally supported, but right now the instructions in that post may no longer work.
-
Pete@Qualitas
commented
Interested in this across the board, my current need is Storage Queue and SB Subscription Triggers...
(for Queue) just needs to take a TokenCredential and QueueUri as per Azure.Storage.Queues.QueueClient constructor. -
Joey Eng
commented
Thanks, Arturo!