Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for User Assigned Identity for functionapp and webapp #9887

Open
ahmedelnably opened this issue Jul 8, 2019 · 12 comments
Open

Add support for User Assigned Identity for functionapp and webapp #9887

ahmedelnably opened this issue Jul 8, 2019 · 12 comments

Comments

@ahmedelnably
Copy link
Contributor

@ahmedelnably ahmedelnably commented Jul 8, 2019

Is your feature request related to a problem? Please describe.
Add support for user assigned identity

Describe the solution you'd like

Describe alternatives you've considered
Portal

Additional context
Add any other context or screenshots about the feature request here.

@ahmedelnably

This comment has been minimized.

Copy link
Contributor Author

@ahmedelnably ahmedelnably commented Jul 8, 2019

@ahmedelnably

This comment has been minimized.

Copy link
Contributor Author

@ahmedelnably ahmedelnably commented Jul 8, 2019

@panchagnula panchagnula changed the title Add support for User Assigned Identity for Functionapp and Webapp Add support for User Assigned Identity for functionapp and webapp Jul 9, 2019
@btardif btardif added this to the Sprint 68 milestone Jul 15, 2019
@btardif btardif assigned btardif and unassigned mattchenderson Jul 15, 2019
@btardif

This comment has been minimized.

Copy link
Member

@btardif btardif commented Jul 15, 2019

I think we understand the fix that is needed here.

We need to add the --identities parameter and an enum to list [System|User]

@panchagnula panchagnula modified the milestones: Sprint 68, Sprint 69 Aug 7, 2019
@panchagnula

This comment has been minimized.

Copy link
Contributor

@panchagnula panchagnula commented Aug 7, 2019

Moving this by a sprint

@panchagnula panchagnula modified the milestones: Sprint 73, Backlog Aug 28, 2019
@panchagnula

This comment has been minimized.

Copy link
Contributor

@panchagnula panchagnula commented Aug 28, 2019

@btardif I moved this to backlog - since we don't have time or resources to work on this currently - something we need to look at during our planning.

@panchagnula

This comment has been minimized.

Copy link
Contributor

@panchagnula panchagnula commented Sep 20, 2019

@ahmedelnably we don't have an ETA on this -if there is an urgency for this, this needs to be reassigned. Thank you.

@ahmedelnably

This comment has been minimized.

Copy link
Contributor Author

@ahmedelnably ahmedelnably commented Sep 20, 2019

@mattchenderson for FYI

@Jarlotee

This comment has been minimized.

Copy link
Contributor

@Jarlotee Jarlotee commented Nov 18, 2019

+1 would love for azure cli to not be months out of sync with portal and arm capabilities 😅

@oliviervaillancourt

This comment has been minimized.

Copy link

@oliviervaillancourt oliviervaillancourt commented Jan 24, 2020

Any update on this on in 2020?

@jongio

This comment has been minimized.

Copy link
Member

@jongio jongio commented Jan 31, 2020

Would be great to bump this up. Not having this breaks the CLI-only flow. Dev is required to switch context to the portal, ARM., or use the workaround below.

@jongio

This comment has been minimized.

Copy link
Member

@jongio jongio commented Jan 31, 2020

Here's a workaround:

  1. Create the user assigned identity
az identity create -n {name} -g {resource_group}

https://docs.microsoft.com/en-us/cli/azure/identity?view=azure-cli-latest#az-identity-create

  1. Use az resource list -n {name} to get the resource id

https://docs.microsoft.com/en-us/cli/azure/resource?view=azure-cli-latest#az-resource-list

  1. Use az resource update to directly update the resources assigned identity
az resource update -n {functionappname} -g {resource_group}--resource-type "Microsoft.Web/sites" --set identity="{\"type\": \"UserAssigned\", \"userAssignedIdentities\": {\"<user assigned identity resource path\": {}}}"

Full example:

az resource update -n jongfuncblob2 -g jongrg4 --resource-type "Microsoft.Web/sites" --set identity="{\"type\": \"UserAssigned\", \"userAssignedIdentities\": {\"/subscriptions/-aa79-488b-b37b-d6e892009fdf/resourceGroups/jongrg4/providers/Microsoft.ManagedIdentity/userAssignedIdentities/jonguserassignedmi\": {}}}"

https://docs.microsoft.com/en-us/cli/azure/resource?view=azure-cli-latest#az-resource-update

BIG WARNING WITH THIS: The az resource update command will overwrite whatever you have in that property - so make sure you get the property first, manually merge, and then write the new values.

For example, if you already have a systemAssigned Identity like this:

{
    "id": "/subscriptions/-aa79-488b-b37b-d6e892009fdf/resourceGroups/jongrg4/providers/Microsoft.Web/sites/jongfuncblob2",
    "identity": {
      "principalId": "-24cd-49e9-9441-1edca4c57e07",
      "tenantId": "-86f1-41af-91ab-2d7cd011db47",
      "type": "SystemAssigned",
      "userAssignedIdentities": null
    },
    "kind": "functionapp,linux,container",
    "location": "westus2",
    "managedBy": null,
    "name": "jongfuncblob2",
    "plan": null,
    "properties": null,
    "resourceGroup": "jongrg4",
    "sku": null,
    "tags": {},
    "type": "Microsoft.Web/sites"
  }

And you run the above command to set the userAssigned identity, then you will overwrite that and turn off the system assigned identity.

{
    "id": "/subscriptions/-aa79-488b-b37b-d6e892009fdf/resourceGroups/jongrg4/providers/Microsoft.Web/sites/jongfuncblob2",
    "identity": {
      "principalId": null,
      "tenantId": null,
      "type": "UserAssigned",
      "userAssignedIdentities": {
        "/subscriptions/-aa79-488b-b37b-d6e892009fdf/resourcegroups/jongrg4/providers/Microsoft.ManagedIdentity/userAssignedIdentities/jonguserassignedmi": {
          "clientId": "-3257-4696-a41b-d66d782cd409",
          "principalId": "-634d-4b03-a31b-6fb820709bd8"
        }
      }
    },
    "kind": "functionapp,linux,container",
    "location": "westus2",
    "managedBy": null,
    "name": "jongfuncblob2",
    "plan": null,
    "properties": null,
    "resourceGroup": "jongrg4",
    "sku": null,
    "tags": {},
    "type": "Microsoft.Web/sites"
  }
@jongio

This comment has been minimized.

Copy link
Member

@jongio jongio commented Feb 14, 2020

I created a new issue to track the refactoring of --assign-identity and identity assign. #12217

That refactor needs to be completed before this can be implemented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.