-
Notifications
You must be signed in to change notification settings - Fork 16k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #5971 from eamonoreilly/master
Sample for Azure Function with managed identity enabled
- Loading branch information
Showing
4 changed files
with
348 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# Provision a function app on a consumption plan with managed identity enabled | ||
|
||
[![Deploy to Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.png)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-functions-managed-identity%2Fazuredeploy.json) | ||
[![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.png)](http://armviz.io/#/?loadhttp://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fazure-quickstart-templates%2Fmaster%2F101-functions-managed-identity%2Fazuredeploy.json) | ||
|
||
This template creates a function application on a consumption plan on Windows. It also enables managed identity for the application and returns the principal id as output. | ||
|
||
## Managed identities in Azure Functions | ||
|
||
You can learn more about [managed identities](https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity) and common scenarios in the [documentation](https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity#obtaining-tokens-for-azure-resources). | ||
|
||
Another common scenario is to grant the managed identity access to either resource groups or subscriptions so that the function has permissions to take action on Azure resources. This is useful when using functions to automate Azure operational tasks. | ||
|
||
## Grant the managed identity contributor access to the subscription or resource group so it can perform actions | ||
|
||
The below command sets the access at the subscription level. | ||
|
||
```powershell | ||
$Context = Get-AzContext | ||
New-AzRoleAssignment -ObjectId <principalId> -RoleDefinitionName Contributor -Scope "/subscriptions/$($Context.Subscription)" | ||
``` | ||
|
||
## Tasks performed by this template | ||
|
||
This template performs the following tasks | ||
|
||
* Creates a storage account to store the functions code. | ||
* Creates an application insights resource to store logs and metrics for the function. | ||
* Creates a functions application with managed identity enabled, and running on a consumption plan. | ||
|
||
For more information about Azure Functions, see the [Azure Functions Overview](https://azure.microsoft.com/en-us/documentation/articles/functions-overview/). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,298 @@ | ||
{ | ||
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"functionAppName": { | ||
"type": "string", | ||
"defaultValue": "[uniqueString(resourceGroup().id)]", | ||
"metadata": { | ||
"description": "Specify the name of the function application" | ||
} | ||
}, | ||
"location": { | ||
"type": "string", | ||
"defaultValue": "[resourceGroup().location]", | ||
"metadata": { | ||
"description": "Specify the location for the function application resources" | ||
} | ||
}, | ||
"ApplicationInsightsLocation": { | ||
"type": "string", | ||
"defaultValue": "West Europe", | ||
"allowedValues": [ | ||
"East US", | ||
"South Central US", | ||
"North Europe", | ||
"West Europe", | ||
"Southeast Asia", | ||
"West US 2", | ||
"Central India", | ||
"Canada Central", | ||
"UK South" | ||
], | ||
"metadata": { | ||
"description": "Specify the region for Application Insights data" | ||
} | ||
}, | ||
"runtimeStack": { | ||
"type": "string", | ||
"defaultValue": "powershell", | ||
"allowedValues": [ | ||
"powershell", | ||
"dotnet", | ||
"node", | ||
"java" | ||
], | ||
"metadata": { | ||
"description": "Pick the language runtime that you want enabled" | ||
} | ||
}, | ||
"timezone": { | ||
"type": "string", | ||
"defaultValue": "UTC", | ||
"allowedValues": [ | ||
"Dateline Standard Time", | ||
"UTC-11", | ||
"Aleutian Standard Time", | ||
"Hawaiian Standard Time", | ||
"Marquesas Standard Time", | ||
"Alaskan Standard Time", | ||
"UTC-09", | ||
"Pacific Standard Time (Mexico)", | ||
"UTC-08", | ||
"Pacific Standard Time", | ||
"US Mountain Standard Time", | ||
"Mountain Standard Time (Mexico)", | ||
"Mountain Standard Time", | ||
"Central America Standard Time", | ||
"Central Standard Time", | ||
"Easter Island Standard Time", | ||
"Central Standard Time (Mexico)", | ||
"Canada Central Standard Time", | ||
"SA Pacific Standard Time", | ||
"Eastern Standard Time (Mexico)", | ||
"Eastern Standard Time", | ||
"Haiti Standard Time", | ||
"Cuba Standard Time", | ||
"US Eastern Standard Time", | ||
"Turks And Caicos Standard Time", | ||
"Paraguay Standard Time", | ||
"Atlantic Standard Time", | ||
"Venezuela Standard Time", | ||
"Central Brazilian Standard Time", | ||
"SA Western Standard Time", | ||
"Pacific SA Standard Time", | ||
"Newfoundland Standard Time", | ||
"Tocantins Standard Time", | ||
"E. South America Standard Time", | ||
"SA Eastern Standard Time", | ||
"Argentina Standard Time", | ||
"Greenland Standard Time", | ||
"Montevideo Standard Time", | ||
"Magallanes Standard Time", | ||
"Saint Pierre Standard Time", | ||
"Bahia Standard Time", | ||
"UTC-02", | ||
"Mid-Atlantic Standard Time", | ||
"Azores Standard Time", | ||
"Cape Verde Standard Time", | ||
"UTC", | ||
"Morocco Standard Time", | ||
"GMT Standard Time", | ||
"Greenwich Standard Time", | ||
"W. Europe Standard Time", | ||
"Central Europe Standard Time", | ||
"Romance Standard Time", | ||
"Sao Tome Standard Time", | ||
"Central European Standard Time", | ||
"W. Central Africa Standard Time", | ||
"Jordan Standard Time", | ||
"GTB Standard Time", | ||
"Middle East Standard Time", | ||
"Egypt Standard Time", | ||
"E. Europe Standard Time", | ||
"Syria Standard Time", | ||
"West Bank Standard Time", | ||
"South Africa Standard Time", | ||
"FLE Standard Time", | ||
"Israel Standard Time", | ||
"Kaliningrad Standard Time", | ||
"Sudan Standard Time", | ||
"Libya Standard Time", | ||
"Namibia Standard Time", | ||
"Arabic Standard Time", | ||
"Turkey Standard Time", | ||
"Arab Standard Time", | ||
"Belarus Standard Time", | ||
"Russian Standard Time", | ||
"E. Africa Standard Time", | ||
"Iran Standard Time", | ||
"Arabian Standard Time", | ||
"Astrakhan Standard Time", | ||
"Azerbaijan Standard Time", | ||
"Russia Time Zone 3", | ||
"Mauritius Standard Time", | ||
"Saratov Standard Time", | ||
"Georgian Standard Time", | ||
"Caucasus Standard Time", | ||
"Afghanistan Standard Time", | ||
"West Asia Standard Time", | ||
"Ekaterinburg Standard Time", | ||
"Pakistan Standard Time", | ||
"India Standard Time", | ||
"Sri Lanka Standard Time", | ||
"Nepal Standard Time", | ||
"Central Asia Standard Time", | ||
"Bangladesh Standard Time", | ||
"Omsk Standard Time", | ||
"Myanmar Standard Time", | ||
"SE Asia Standard Time", | ||
"Altai Standard Time", | ||
"W. Mongolia Standard Time", | ||
"North Asia Standard Time", | ||
"N. Central Asia Standard Time", | ||
"Tomsk Standard Time", | ||
"China Standard Time", | ||
"North Asia East Standard Time", | ||
"Singapore Standard Time", | ||
"W. Australia Standard Time", | ||
"Taipei Standard Time", | ||
"Ulaanbaatar Standard Time", | ||
"Aus Central W. Standard Time", | ||
"Transbaikal Standard Time", | ||
"Tokyo Standard Time", | ||
"North Korea Standard Time", | ||
"Korea Standard Time", | ||
"Yakutsk Standard Time", | ||
"Cen. Australia Standard Time", | ||
"AUS Central Standard Time", | ||
"E. Australia Standard Time", | ||
"AUS Eastern Standard Time", | ||
"West Pacific Standard Time", | ||
"Tasmania Standard Time", | ||
"Vladivostok Standard Time", | ||
"Lord Howe Standard Time", | ||
"Bougainville Standard Time", | ||
"Russia Time Zone 10", | ||
"Magadan Standard Time", | ||
"Norfolk Standard Time", | ||
"Sakhalin Standard Time", | ||
"Central Pacific Standard Time", | ||
"Russia Time Zone 11", | ||
"New Zealand Standard Time", | ||
"UTC+12", | ||
"Fiji Standard Time", | ||
"Kamchatka Standard Time", | ||
"Chatham Islands Standard Time", | ||
"UTC+13", | ||
"Tonga Standard Time", | ||
"Samoa Standard Time", | ||
"Line Islands Standard Time" | ||
], | ||
"metadata": { | ||
"description": "Pick the timezone to use for the function" | ||
} | ||
} | ||
}, | ||
"variables": { | ||
"hostingPlanName": "[parameters('functionAppName')]", | ||
"storageAccountName": "[concat('storage', uniquestring(resourceGroup().id))]" | ||
}, | ||
"resources": [ | ||
{ | ||
"name": "[parameters('functionAppName')]", | ||
"type": "Microsoft.Web/sites", | ||
"apiVersion": "2018-02-01", | ||
"location": "[parameters('location')]", | ||
"kind": "functionapp", | ||
"dependsOn": [ | ||
"[resourceId('Microsoft.Web/serverfarms/', variables('hostingPlanName'))]", | ||
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]", | ||
"[resourceId('microsoft.insights/components/', parameters('functionAppName'))]" | ||
], | ||
"identity": { | ||
"type": "SystemAssigned" | ||
}, | ||
"properties": { | ||
"siteConfig": { | ||
"appSettings": [ | ||
{ | ||
"name": "FUNCTIONS_WORKER_RUNTIME", | ||
"value": "[parameters('runtimeStack')]" | ||
}, | ||
{ | ||
"name": "AzureWebJobsStorage", | ||
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2017-06-01').keys[0].value)]" | ||
}, | ||
{ | ||
"name": "FUNCTIONS_EXTENSION_VERSION", | ||
"value": "~2" | ||
}, | ||
{ | ||
"name": "APPINSIGHTS_INSTRUMENTATIONKEY", | ||
"value": "[reference(resourceId('microsoft.insights/components/', parameters('functionAppName')), '2018-05-01-preview').InstrumentationKey]" | ||
}, | ||
{ | ||
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", | ||
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')),'2017-06-01').keys[0].value)]" | ||
}, | ||
{ | ||
"name": "WEBSITE_CONTENTSHARE", | ||
"value": "[toLower(parameters('functionAppName'))]" | ||
}, | ||
{ | ||
"name": "WEBSITE_TIME_ZONE", | ||
"value": "[parameters('timezone')]" | ||
} | ||
] | ||
}, | ||
"name": "[parameters('functionAppName')]", | ||
"clientAffinityEnabled": false, | ||
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', variables('hostingPlanName'))]" | ||
} | ||
}, | ||
{ | ||
"type": "Microsoft.Web/serverfarms", | ||
"apiVersion": "2018-11-01", | ||
"name": "[variables('hostingPlanName')]", | ||
"location": "[parameters('location')]", | ||
"properties": { | ||
"name": "[variables('hostingPlanName')]" | ||
}, | ||
"sku": { | ||
"name": "Y1", | ||
"tier": "Dynamic", | ||
"size": "Y1", | ||
"family": "Y", | ||
"capacity": 0 | ||
} | ||
}, | ||
{ | ||
"apiVersion": "2017-06-01", | ||
"type": "Microsoft.Storage/storageAccounts", | ||
"name": "[variables('storageAccountName')]", | ||
"location": "[parameters('location')]", | ||
"sku": { | ||
"name": "Standard_LRS" | ||
} | ||
}, | ||
{ | ||
"apiVersion": "2018-05-01-preview", | ||
"name": "[parameters('functionAppName')]", | ||
"type": "Microsoft.Insights/components", | ||
"location": "[parameters('ApplicationInsightsLocation')]", | ||
"tags": { | ||
"[concat('hidden-link:', resourceId('Microsoft.Web/sites/', parameters('functionAppName')))]": "Resource" | ||
}, | ||
"properties": { | ||
"ApplicationId": "[parameters('functionAppName')]" | ||
} | ||
} | ||
], | ||
"outputs": { | ||
"principalId": { | ||
"type": "string", | ||
"value": "[reference(concat(resourceId('Microsoft.Web/sites/', parameters('functionAppName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
{ | ||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"functionAppName": { | ||
"value": "GEN-UNIQUE" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", | ||
"type": "QuickStart", | ||
"itemDisplayName": "Creates a function app with managed service identity.", | ||
"description": "Creates a function app with managed service identity enabled with Application Insights set up for logs and metrics.", | ||
"summary": "Creates a function app with managed service identity.", | ||
"githubUsername": "eamonoreilly", | ||
"dateUpdated": "2019-02-08" | ||
} | ||
|