1

I am defining an Azure Container Apps job. The job will consume messages from a Service Bus topic subscription. The rule will authenticate using a user assigned identity. The service is defined as follows:

resource platformIoTTransformJob 'Microsoft.App/jobs@2024-03-01' = {
  name: platformIoTTransformJobName
  location: Location
  properties: {
    environmentId: environment.id
    configuration: {
      registries: [
        {
          server: acr.properties.loginServer
          identity: agentIdentity.id
        }
      ]
      manualTriggerConfig: {
        replicaCompletionCount: 1
        parallelism: 1
      }
      eventTriggerConfig: {
        replicaCompletionCount: 1
        parallelism: 1
        scale: {
          minExecutions: 0
          maxExecutions: 100
          pollingInterval: 30
          rules: [
            {
              name: 'azure-servicebus-topic-rule'
              type: 'azure-servicebus'
              metadata: any(
                {
                  topicName: platformServiceBus.outputs.TopicName
                  subscriptionName: platformServiceBus.outputs.SubscriptionName
                  namespace: platformServiceBus.outputs.ServiceBusNamespaceName
                  messageCount: '5'
                }
              )
#disable-next-line BCP037
              identity: platformIoTIdentity.id
            }
          ]
        }
      }
      replicaRetryLimit: replicaRetryLimit
      replicaTimeout: replicaTimeout
      triggerType: 'Event'
    }
    template: {
      containers: [
        {
          image: platformIoTTransformJobImage
          name: platformIoTTransformJobName
          env: [
            {
              name: 'APPINSIGHTS_INSTRUMENTATIONKEY'
              value: AppInsightsInstrumentationKey
            }
            {
              name: 'UserManagedIdentity__ClientId'
              value: platformIoTIdentity.properties.clientId
            }
          ]
          args: args
          command: command
          resources: {
            cpu: json(cpu)
            memory: memory
          }
        }
      ]
    }
  }
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${platformIoTIdentity.id}': {}
      '${agentIdentity.id}': {}
    }
  }
}

Where platformServiceBus is a module that puts the required Service Bus resources and permissions and platformIoTIdentity has receiver role on the topic subscription resource.

I'm using the version 2024-03-01 because according to docs it should be available starting from 2024-02-02-preview.

I also tried to specify the identity property in the rule metadata, but without success.

In the Execution history I cannot find any execution even if there are active messages in the queue, so I think that the problem is related to the scale rule. Where is the problem and how can I troubleshoot it? I tried to inspect the logs (ContainerAppSystemLogs_CL), but couldn't find anything related to this job

Improve this question
4
  • Have you had a look at this? I know it is not Bicep, but lets figure out your issue first techcommunity.microsoft.com/t5/apps-on-azure-blog/… github.com/Azure-Samples/container-apps-jobs Commented Jul 17, 2024 at 14:31
  • @JulianHüppauff I had already checked it. However, it utilizes a connection string, I prefer using managed identities. Commented Jul 18, 2024 at 6:32
  • If you use key based authentication, does it work? So we would know it is just some authentication, connection issue then Commented Jul 18, 2024 at 6:59
  • Makes sense. I will try using the connection string to narrow down the research scope for the problem. Commented Jul 18, 2024 at 14:32

1 Answer 1

Reset to default
0

As Container App Jobs uses KEDA scaler for scale rule in event type trigger as mentioned in MS Document

KEDA Service Bus Scaler uses three Authentication method as mention in this KEDA Document

  1. Connection string
  2. Pod Identity
  3. Workload Identity

I tried using UserAssignedIdentity to access service bus but it did not work. It worked fine with Connection String.

Currently only Key Vault reference method is working with Managed Identity.

Below bicep code worked for me.

Note :- I am using Username and Password for container registry.

resource managedEnvironment 'Microsoft.App/managedEnvironments@2024-03-01' existing ={
  name:'managedEnvironment-VivekRG-bff0'
  scope: resourceGroup('Vivek-RG')
}

resource useridentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' existing ={
  name: 'testuseridentity'
  scope: resourceGroup('Vivek-RG')
}

resource keyvault 'Microsoft.KeyVault/vaults@2024-04-01-preview' existing = {
  name: 'containerjobkeyvault'
  scope: resourceGroup('Vivek-RG')
 }

resource secret 'Microsoft.KeyVault/vaults/secrets@2024-04-01-preview' existing = {
 name: 'sbconn'
 parent: keyvault
}

resource platformIoTTransformJob 'Microsoft.App/jobs@2024-03-01' = {
  name: 'containerjob25julybicep'  
  location: 'Australia East'  
  properties: {
    environmentId: managedEnvironment.id  
    configuration: {
      registries: [
        {
          server: 'vivek.azurecr.io'  
          username: 'vivek'
          passwordSecretRef: 'password'  
        }
      ]
      secrets:[
        {
          name: 'password'
          value: 'xxxxxxxxx'
        }
        {
          name: 'servicebus'
          keyVaultUrl: secret.properties.secretUri
          identity: useridentity.id
        }
      ]
      manualTriggerConfig: {
        replicaCompletionCount: 1
        parallelism: 1
      }
      eventTriggerConfig: {
        replicaCompletionCount: 1
        parallelism: 1
        scale: {
          minExecutions: 0
          maxExecutions: 5
          pollingInterval: 30
          rules: [
            {
              name: 'azure-servicebus-topic-rule'
              type: 'azure-servicebus'
              metadata: {
                topicName: 'testtopic'  
                subscriptionName: 'testsub' 
                messageCount: '5' 
              }
              auth: [{
                secretRef: 'servicebus'
                triggerParameter: 'connection'
              }]
            }
          ]
        }
      }
      replicaRetryLimit: 0  
      replicaTimeout: 1800  
      triggerType: 'Event'
    }
    template: {
      containers: [
        {
          image: 'vivek.azurecr.io/sbcontainerjobtopic:latest'  
          name: 'containerjob25julybicep'  
          
          args: []
          command: []
          resources: {
            cpu: json('0.5')  
            memory: '1.0Gi'  
          }
        }
      ]
    }
  }
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${useridentity.id}':{}
    }
  }
}

Python code to process message

from azure.identity import ManagedIdentityCredential
from azure.servicebus import ServiceBusClient, ServiceBusMessage

SERVICE_BUS_NAMESPACE = "https://sbjobs.servicebus.windows.net"
TOPIC_NAME = "testtopic"
SUB_NAME = "testsub"
MANAGED_IDENTITY_CLIENT_ID = "xxxxxxxxxxxxxxxxxxxxxxxxxx"

credential = ManagedIdentityCredential(client_id=MANAGED_IDENTITY_CLIENT_ID)




service_bus_client = ServiceBusClient(
    fully_qualified_namespace=SERVICE_BUS_NAMESPACE,
    credential=credential
)

with service_bus_client:
    receiver = service_bus_client.get_subscription_receiver(topic_name=TOPIC_NAME ,subscription_name=SUB_NAME)
    with receiver:
        received_msgs = receiver.receive_messages(max_message_count=10, max_wait_time=5)
        for msg in received_msgs:
            print("Received: " + str(msg))
            receiver.complete_message(msg)

print("Receive messages completed.")

OUTPUT

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.