Python Azure Functions Identity-Based Connection for Trigger Bindings

SeaDude
January 29, 2024
293 views
0 votes
2 Answers

I can’t seem to find clear documentation on how to set a System-assigned Managed Identity-based connection for my Queue-triggered Azure Function.

Steps taken:

Enabled System-assigned Managed Identity (SAMI) for the Azure Function
On the Queue Storage Account, granted the SAMI Storage Queue Data Reader and Storage Queue Data Message Processor Roles per this doc.
Ensured the Extension Version is 5.0.0 or later

"extensionBundle": {
    "id": "Microsoft.Azure.Functions.ExtensionBundle",
    "version": "[4.*, 5.0.0)"
  }

Added a connection value to the Function’s function.json file:

{
  "scriptFile": "__init__.py",
  "bindings": [
    {
      "name": "msg",
      "type": "queueTrigger",
      "direction": "in",
      "queueName": "my-q",
      "connection": "QUEUE_CONN"
    }
  ]
}

Added a QUEUE_CONN__queueServiceUri app setting to the Function’s local.settings.json file per this SO question, which references this doc.

{
  "IsEncrypted": false,
  "Values": {
    "FUNCTIONS_WORKER_RUNTIME": "python",
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "QUEUE_CONN__queueServiceUri": "https://<my-q-storage>.queue.core.windows.net"
  }
}

After func azure functionapp publish <my-function> --publish-local-settings, and writing the appropriate setting to Azure…the function will not trigger when adding a new queue.

I also tried adding QUEUE_CONN__managedIdentityResourceId per this (contradicting?) doc. But this didn’t seem to trigger the Function upon adding a queue.
Also tried adding "QUEUE_CONN__credential": "managedidentity". Still unable to trigger the function.

I’d really like to get away from dealing with a Key Vault secret when all other connections within the function rely on SAMI auth.

Any ideas?

Answers

- SiddheshDesai
- January 29, 2024 at 8:37 am
- 0 votes
0
Even I received the same error code as yours, In order to make this Queue Trigger with managed Identity work, I have tried two methods and both of them worked successfully:-

Approach 1:-

My Local Function code:-

function.json:-
```
{
  "scriptFile": "__init__.py",
  "bindings": [
    {
      "name": "msg",
      "type": "queueTrigger",
      "direction": "in",
      "queueName": "queue1",
      "connection": "valleystrg1_STORAGE"
    }
  ]
}
```
init.py:-
```
import logging

from azure.functions import QueueMessage


def main(msg: QueueMessage) -> None:
    logging.info('Python queue trigger function processed a queue item: %s',
                 msg.get_body().decode('utf-8'))
```
local.settings.json:-

Note- settings from local.settings.json does not get uploaded to Function App configuration settings, As the local.settings.json file is .gitignored.

My Function App configuration settings:-

Note- My deployed function.json has valleystrg1_STORAGE in the connection as it is, I have just edited the Connection String in Configuration application setting like below:-
```
valleystrg1_STORAGE__queueServiceUri:https://valleystrg1.queue.core.windows.net
```
Provided Storage Queue Data Contributor role to my Function App managed Identity on Storage account level which has my queue:-

Output:-

Approach 2:-

Portal:-

I have directly created a Queue Trigger via Portal Edit:-
```
valleystrg2_STORAGE__queueServiceUri:https://valleystrg2.queue.core.windows.net
```
My function.json:-
```
{
  "bindings": [
    {
      "name": "msg",
      "type": "queueTrigger",
      "direction": "in",
      "queueName": "queue1",
      "connection": "valleystrg2_STORAGE"
    }
  ]
}
```
Added The function app managed identity Storage Queue Data Contributor role at Storage account level:-

Output:-
Login or Signup to reply.

- ericOnline
- January 29, 2024 at 9:04 pm
- 0 votes
0
Thanks for the detailed screenshots. Just an FYI, you can publish the key/value pairs in your local.settings.json file as App Settings by using func azure functionapp publish <your-function-app-name> --publish-local-settings. You need to be mindful of which values you publish.

Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.