Replacing connection string to managed Identity for azure blob trigger > Azure function app from VS to azure portal

piku
November 18, 2024
124 views
0 votes
2 Answers

I have performed the following

Created a simple azure blob triggered function app in visual studio with default setup
Publish into Azure portal and the trigger is set to a different azure blob location

Requirement is to Relplace azure blob connection string with function app Managed identity

I followed this blog which mentions simple setup but in my case the connection string is a different one so I am not sure if this work

Can you please help to identify

Steps to follow in order to replace with managed identity in Visual studio for this case
Versions of function app and azure blob supports managed identity

I also found this blog which resonates the requirement however I am not sure how to perform this in VS and sync to azure portal for my current function app

thanks

Answers

- DasariKamali
- November 17, 2024 at 1:29 pm
- 0 votes
0
I successfully ran the Blob trigger function locally and in the Azure Function App using DefaultAzureCredentials and Managed Identity.

Below is the complete code for a Blob trigger function in the .NET 8 Isolated model.

Function1.cs :
```
using Microsoft.Azure.Functions.Worker;
using Microsoft.Extensions.Logging;
 
namespace FunctionApp4
{
    public class Function1
    {
        private readonly ILogger<Function1> _logger;
 
        public Function1(ILogger<Function1> logger)
        {
            _logger = logger;
        }
 
        [Function(nameof(Function1))]
        public async Task Run([BlobTrigger("kamcontainer/{name}")] Stream stream, string name)
        {
            using var blobStreamReader = new StreamReader(stream);
            var content = await blobStreamReader.ReadToEndAsync();
            _logger.LogInformation($"C# Blob trigger function processed blobn Name: {name} n Data: {content}");
        }
    }
}
```
Program.cs :
```
using Azure.Identity;
using Azure.Storage.Blobs;
using Microsoft.Azure.Functions.Worker.Builder;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
 
var builder = FunctionsApplication.CreateBuilder(args);
builder.Services.AddSingleton(_ =>
{
    var blobUri = new Uri("https://<storagename>.blob.core.windows.net/");
    return new BlobServiceClient(blobUri, new DefaultAzureCredential());
});
builder.ConfigureFunctionsWebApplication();
builder.Build().Run();
```
local.settings.json :
```
{
    "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "<storageConnestring>",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated"
  }
}
```
I have created a Service principle in Azure AD and added the clientID, clientSecret and TenantID to the System Environment Variables to run the function using DefaultAzureCredentials as shown below.

Add below to your System Environment Variables :
```
AZURE_CLIENT_ID = <clientID>
AZURE_CLIENT_SECRET = <clientSecret>
AZURE_TENANT_ID = <TenantID>
```
I have Enabled the Manged Identity in the Azure Function App as shown below.

I have assigned the Owner role to the Service Principal and the Storage Blob Data Contributor role to the Function App under Access Control (IAM) in the Storage account, as shown below.

Local Output :

I started running the Blob trigger function and upload a file in the Blob storage as shonw below.

The Blob Trigger function ran successfully and retrieved the blob details, as shown below.

I published the Blob trigger function to the Azure Function App, as shown below.

Azure Function App Output :

I successfully ran the Blob Trigger function in the Azure Function App and retrived the blob details after uploading a file to the Blob Storage, as shown below.
Login or Signup to reply.

DefaultAzureCredential can obtain credentials of different types, in a number of different ways based on a set of environment variables. But the default options and search order makes it difficult to exclude or enable some of these without requiring code changes.

To allow configuration to specify exactly which type of credential should be used, at least for the types that I wanted to support, I came up with the following;

// default to only allowing managed identities
var options = new DefaultAzureCredentialOptions()
{
    ExcludeVisualStudioCodeCredential = true,
    ExcludeVisualStudioCredential = true,
    ExcludeSharedTokenCacheCredential = true,
    ExcludeInteractiveBrowserCredential = true,
    ExcludeAzureCliCredential = true,
    ExcludeAzurePowerShellCredential = true,
    ExcludeEnvironmentCredential = true,

    ExcludeManagedIdentityCredential = false,

    Diagnostics =
    {
        IsLoggingEnabled = true,
    }
};

var credentialType = ctx.Configuration["AzureCredential"];
if (!string.IsNullOrWhiteSpace(credentialType))
{
    // set allowed credential types explicitly based on environment variable
    options.ExcludeAzureCliCredential = !credentialType.Contains("AzureCli", StringComparison.OrdinalIgnoreCase);
    options.ExcludeAzurePowerShellCredential = !credentialType.Contains("AzurePowerShell", StringComparison.OrdinalIgnoreCase);
    options.ExcludeManagedIdentityCredential = !credentialType.Contains("ManagedIdentity", StringComparison.OrdinalIgnoreCase);
    options.ExcludeEnvironmentCredential = !credentialType.Contains("Environment", StringComparison.OrdinalIgnoreCase);
}
var credential = new DefaultAzureCredential(options);

Please signup or login to give your own answer.

Click here to cancel reply.