How can we improve Microsoft Azure Functions?

← Azure Functions

Blob trigger support with Service Principle/Managed identity

We are trying to setup a Blob Triggered Function, but we have a limitation to use only Service principal/managed identity to access the storage because of the security concerns in directly using access keys.

We did not find a way to by-pass blob trigger to using connection string.

Theoretically, since Blob Storage is integrated with Azure Active Directory, it should be possible to provide the right RBAC permissions on my Blob Containers so that the Function's identity (Managed Service Identity)/Service principle has whatever permissions are necessary to create the trigger and read from the blobs.

We are expecting azure functions blob trigger to support authentication with Service Principal/managed Identity

19 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

2 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Jonathan Jones commented  ·   ·  Flag as inappropriate

    I would also like this feature. We have another team that needs to ingest data (in a different subscription) and to configure the trigger we now:

    - have to expose what are effectively root passwords to individuals
    - struggle to rotate the credentials, as with every rotation the other team would need to update their trigger

    Please add MI support to Blob triggers asap.

    My comment is for a logic app, but I believe it's the same root cause

  • Jordan Simbananiye commented  ·   ·  Flag as inappropriate

    In implementing some security features leaning heavily on Azure [blob storage logging](https://docs.microsoft.com/en-us/azure/storage/common/storage-monitor-storage-account) for auditing purposes.

    Users should have their AAD attached to all blob operations, however It's not immediately clear how to get the same behaviour for Azure functions when authenticating with the Connection String via input bindings since it will not use a service principal.

    It would be nice to be able to use custom identities and have them show up in the audit logs for a more complete audit trail.

    https://github.com/Azure/Azure-Functions/issues/1654

Azure Functions: Feature

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice