Blob trigger support with Service Principle/Managed identity
We are trying to setup a Blob Triggered Function, but we have a limitation to use only Service principal/managed identity to access the storage because of the security concerns in directly using access keys.
We did not find a way to by-pass blob trigger to using connection string.
Theoretically, since Blob Storage is integrated with Azure Active Directory, it should be possible to provide the right RBAC permissions on my Blob Containers so that the Function's identity (Managed Service Identity)/Service principle has whatever permissions are necessary to create the trigger and read from the blobs.
We are expecting azure functions blob trigger to support authentication with Service Principal/managed Identity
This is something we are planning. Likely this would be accomplished through DefaultAzureCredential with the newest Storage SDKs, allowing more flexibility for local development.
Jonathan Jones commented
I would also like this feature. We have another team that needs to ingest data (in a different subscription) and to configure the trigger we now:
- have to expose what are effectively root passwords to individuals
- struggle to rotate the credentials, as with every rotation the other team would need to update their trigger
Please add MI support to Blob triggers asap.
My comment is for a logic app, but I believe it's the same root cause
Jordan Simbananiye commented
In implementing some security features leaning heavily on Azure [blob storage logging](https://docs.microsoft.com/en-us/azure/storage/common/storage-monitor-storage-account) for auditing purposes.
Users should have their AAD attached to all blob operations, however It's not immediately clear how to get the same behaviour for Azure functions when authenticating with the Connection String via input bindings since it will not use a service principal.
It would be nice to be able to use custom identities and have them show up in the audit logs for a more complete audit trail.