I'd like to use managed identities instead of username and password configured in the storage account connection. I only see the option to configure the queue trigger with a connection string, but can't add a managed identity to avoid secrets to be configured. Is that possible at all?
2 Answers
I'm fairly certain it is not possible as of now, you can only use managed identities when the function runs to access resources, not for the trigger. I cannot dig up a proof for that right now, saw it on some GH issue.
2 Comments
juunas
Yeah this is my guess as well. It'd be possible if the connection string allowed to define "UseManagedIdentity=True" or something.
4c74356b41
yeah, similar to what appservice does with keyvault reference
This is now possible using the Microsoft Azure Function Extension Libraries, e.g. "Microsoft.Azure.WebJobs.Extensions.Storage.Blobs".
Exampleconnection configuration for managed identities:
"QueueSettings:StorageAccount": "",
"QueueSettings:StorageAccount__queueServiceUri": "https://mytestfa.queue.core.windows.net/",
"QueueSettings:StorageAccount__credential": "managedidentity"
And reference the connection in the function trigger like this:
[Function("ProcessUserData")]
public async Task ProcessUserData([QueueTrigger("%QueueSettings:UserDataQueue%", Connection = "QueueSettings:StorageAccount")] string queueItem, FunctionContext context)
{
var logger = context.GetLogger<QueueListener>();
...
}
Original announcement from the Microsoft DevBlog here: https://devblogs.microsoft.com/azure-sdk/introducing-the-new-azure-function-extension-libraries-beta/
also reference here: Azure Functions - use queue trigger with managed identity
