-
Notifications
You must be signed in to change notification settings - Fork 440
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Workload Identity Support #9266
Comments
Is there any follow up here? |
Is there a plan for this update? |
Just following up on this issue. Our team will be blocked to fully migrate to worklaod identity if this feature is not supported. Please let us know if there is any update here. |
@mattchenderson flagging this for follow up |
Identity team has announced that they will stop to support aadpodidentity from September, 2023. And we are blocked to fully migrate out of aadpodidentity due to this issue. Can it be priortized? |
I've also proposed some changes to the |
The changes that Will added are now live as part of https://www.nuget.org/packages/Microsoft.Extensions.Azure/1.7.0 I think updating our references to use that would be the right way to tackle this. Noting that changes may be needed in a couple of our other repos as well. |
This will be resolved by #9480, but we need additional validation to ensure the scenarios described here are covered. |
@chandlerkent this has been released with host version 4.27 and above. Closing this issue as resolved but please do let us know if you run into any issues. @wsugarman , if you can validate, that would be great. |
@fabiocav - I can confirm that I am successfully using workload identity with my team's function pods in AKS. I did however have to forcibly bring in an updated extensions package (using I think we can fix that by updating the version of the library in I do see seemingly transient issues with my function app where it sometimes takes the Timer trigger listener a few tries to start, but I'm looking into it. |
@fabiocav hi, is there a documentation on how to use workflow identity with out-of-process azure function in AKS? update: with Azure Function out-of-process model c# function running on AKS, what I did to get it working with workload identity is adding these environment variables to container:
|
What problem would the feature you're requesting solve? Please describe.
Microsoft recommends using Managed Identity when authenticating to Azure services, including Azure Storage. More recently Azure Functions have even added support for configuring identity-based connections inside of the host.json. If a user is hosting their Azure Functions in AKS, then the current host code can connect to the Azure Storage backend using an identity-based connection if AAD Pod Identity is configured. However, AAD Pod Identity has been deprecated, and it has been replaced by Azure Workload Identity. Unfortunately, this requires an update to the
Azure.Identity
library and/or its usage.Describe the solution you'd like
The
Azure.Identity
library must be either:1.9.0
and use the newWorkloadIdentityCredential
type (or as part ofDefaultAzureCredential
) OR1.5.0
such that the proper environment variables can be read to support the token exchangeDescribe alternatives you've considered
The text was updated successfully, but these errors were encountered: