Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workload Identity Support #9266

Closed
wsugarman opened this issue May 9, 2023 · 12 comments
Closed

Workload Identity Support #9266

wsugarman opened this issue May 9, 2023 · 12 comments
Assignees
@aishwaryabh
Labels
enhancement feature:identity Identifies items relating to identity-based connections kubernetes

Comments

@wsugarman
Copy link
Contributor

wsugarman commented May 9, 2023
edited
Loading

What problem would the feature you're requesting solve? Please describe.

Microsoft recommends using Managed Identity when authenticating to Azure services, including Azure Storage. More recently Azure Functions have even added support for configuring identity-based connections inside of the host.json. If a user is hosting their Azure Functions in AKS, then the current host code can connect to the Azure Storage backend using an identity-based connection if AAD Pod Identity is configured. However, AAD Pod Identity has been deprecated, and it has been replaced by Azure Workload Identity. Unfortunately, this requires an update to the Azure.Identity library and/or its usage.

Describe the solution you'd like

The Azure.Identity library must be either:

Describe alternatives you've considered

  1. Continue to use AAD Pod Identity
  2. Migrate to the usage of the temporary sidecar for Workload Identity
@ghost ghost assigned jviau May 9, 2023
@poadhika
Copy link

Is there any follow up here?

@claudio-cauchi
Copy link

Is there a plan for this update?

@poadhika
Copy link

Just following up on this issue. Our team will be blocked to fully migrate to worklaod identity if this feature is not supported. Please let us know if there is any update here.

@fabiocav
Copy link
Member

@mattchenderson flagging this for follow up

@poadhika
Copy link

Identity team has announced that they will stop to support aadpodidentity from September, 2023. And we are blocked to fully migrate out of aadpodidentity due to this issue. Can it be priortized?

@wsugarman
Copy link
Contributor Author

I've also proposed some changes to the Microsoft.Extensions.Azure library for workload identity which may help in the migration for Azure Functions: Azure/azure-sdk-for-net#37943

@mattchenderson mattchenderson added enhancement feature:identity Identifies items relating to identity-based connections kubernetes labels Aug 1, 2023
@mattchenderson
Copy link
Contributor

mattchenderson commented Aug 9, 2023
edited
Loading

The changes that Will added are now live as part of https://www.nuget.org/packages/Microsoft.Extensions.Azure/1.7.0

I think updating our references to use that would be the right way to tackle this. Noting that changes may be needed in a couple of our other repos as well.

@aishwaryabh aishwaryabh mentioned this issue Aug 22, 2023
Merged
8 tasks
@fabiocav
Copy link
Member

This will be resolved by #9480, but we need additional validation to ensure the scenarios described here are covered.

@chandlerkent
Copy link

chandlerkent commented Oct 6, 2023
edited
Loading

@fabiocav has #9480 been released in a public package that resolves this issue and allows us to use a Workload Identity to authenticate to the function's backing Storage Account?

@fabiocav
Copy link
Member

@chandlerkent this has been released with host version 4.27 and above.

Closing this issue as resolved but please do let us know if you run into any issues.

@wsugarman , if you can validate, that would be great.

@wsugarman wsugarman mentioned this issue Oct 27, 2023
Closed
@wsugarman
Copy link
Contributor Author

@fabiocav - I can confirm that I am successfully using workload identity with my team's function pods in AKS.

I did however have to forcibly bring in an updated extensions package (using <FunctionsPreservedDependencies Include="Microsoft.Azure.WebJobs.Extensions.dll" />) alongside the latest versions of Azure.Identity and Microsoft.Extensions.Azure. Without using FunctionsPreservedDependencies, it would seem that the Timer Triggers would attempt to use an old version of Microsoft.Extensions.Azure that had no idea what "workloadidentity" was (nor did its version of DefaultAzureCredential support it). However, I'm not much of an expert in how the function host loads its own assemblies versus those in user code 😬

I think we can fix that by updating the version of the library in Microsoft.Azure.WebJobs.Host.Storage, which I am doing in this PR: Azure/azure-webjobs-sdk#3035

I do see seemingly transient issues with my function app where it sometimes takes the Timer trigger listener a few tries to start, but I'm looking into it.

@aishwaryabh aishwaryabh mentioned this issue Nov 16, 2023
Merged
@pswzyu
Copy link

pswzyu commented Apr 28, 2024
edited
Loading

@fabiocav hi, is there a documentation on how to use workflow identity with out-of-process azure function in AKS?

update: with Azure Function out-of-process model c# function running on AKS, what I did to get it working with workload identity is adding these environment variables to container:

    env:
    - name: FUNCTIONS_WORKER_RUNTIME
      value: "dotnet-isolated"
    - name: AzureWebJobsStorage__credential
      value: "workloadidentity"
    - name: AzureWebJobsStorage__accountname
      value: "<azure storage account name>"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aishwaryabh aishwaryabh

Labels
enhancement feature:identity Identifies items relating to identity-based connections kubernetes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@chandlerkent @pswzyu @fabiocav @wsugarman @jviau @mattchenderson @aishwaryabh @poadhika @claudio-cauchi