Skip to content

Commit

Permalink
Merge pull request #5971 from eamonoreilly/master
Browse files Browse the repository at this point in the history 
Sample for Azure Function with managed identity enabled
  • Loading branch information
@bmoore-msft
bmoore-msft committed Apr 22, 2019
2 parents 0d59418 + 361cef2 commit deede3b
Show file tree
Hide file tree
Showing 4 changed files with 348 additions and 0 deletions.
31 changes: 31 additions & 0 deletions 101-functions-managed-identity/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Provision a function app on a consumption plan with managed identity enabled

[![Deploy to Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.png)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-functions-managed-identity%2Fazuredeploy.json)
[![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.png)](http://armviz.io/#/?loadhttp://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2Fazure%2Fazure-quickstart-templates%2Fmaster%2F101-functions-managed-identity%2Fazuredeploy.json)

This template creates a function application on a consumption plan on Windows. It also enables managed identity for the application and returns the principal id as output.

## Managed identities in Azure Functions

You can learn more about [managed identities](https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity) and common scenarios in the [documentation](https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity#obtaining-tokens-for-azure-resources).

Another common scenario is to grant the managed identity access to either resource groups or subscriptions so that the function has permissions to take action on Azure resources. This is useful when using functions to automate Azure operational tasks.

## Grant the managed identity contributor access to the subscription or resource group so it can perform actions

The below command sets the access at the subscription level.

```powershell
$Context = Get-AzContext
New-AzRoleAssignment -ObjectId <principalId> -RoleDefinitionName Contributor -Scope "/subscriptions/$($Context.Subscription)"
```

## Tasks performed by this template

This template performs the following tasks

* Creates a storage account to store the functions code.
* Creates an application insights resource to store logs and metrics for the function.
* Creates a functions application with managed identity enabled, and running on a consumption plan.

For more information about Azure Functions, see the [Azure Functions Overview](https://azure.microsoft.com/en-us/documentation/articles/functions-overview/).
298 changes: 298 additions & 0 deletions 101-functions-managed-identity/azuredeploy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,298 @@
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"functionAppName": {
"type": "string",
"defaultValue": "[uniqueString(resourceGroup().id)]",
"metadata": {
"description": "Specify the name of the function application"
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specify the location for the function application resources"
}
},
"ApplicationInsightsLocation": {
"type": "string",
"defaultValue": "West Europe",
"allowedValues": [
"East US",
"South Central US",
"North Europe",
"West Europe",
"Southeast Asia",
"West US 2",
"Central India",
"Canada Central",
"UK South"
],
"metadata": {
"description": "Specify the region for Application Insights data"
}
},
"runtimeStack": {
"type": "string",
"defaultValue": "powershell",
"allowedValues": [
"powershell",
"dotnet",
"node",
"java"
],
"metadata": {
"description": "Pick the language runtime that you want enabled"
}
},
"timezone": {
"type": "string",
"defaultValue": "UTC",
"allowedValues": [
"Dateline Standard Time",
"UTC-11",
"Aleutian Standard Time",
"Hawaiian Standard Time",
"Marquesas Standard Time",
"Alaskan Standard Time",
"UTC-09",
"Pacific Standard Time (Mexico)",
"UTC-08",
"Pacific Standard Time",
"US Mountain Standard Time",
"Mountain Standard Time (Mexico)",
"Mountain Standard Time",
"Central America Standard Time",
"Central Standard Time",
"Easter Island Standard Time",
"Central Standard Time (Mexico)",
"Canada Central Standard Time",
"SA Pacific Standard Time",
"Eastern Standard Time (Mexico)",
"Eastern Standard Time",
"Haiti Standard Time",
"Cuba Standard Time",
"US Eastern Standard Time",
"Turks And Caicos Standard Time",
"Paraguay Standard Time",
"Atlantic Standard Time",
"Venezuela Standard Time",
"Central Brazilian Standard Time",
"SA Western Standard Time",
"Pacific SA Standard Time",
"Newfoundland Standard Time",
"Tocantins Standard Time",
"E. South America Standard Time",
"SA Eastern Standard Time",
"Argentina Standard Time",
"Greenland Standard Time",
"Montevideo Standard Time",
"Magallanes Standard Time",
"Saint Pierre Standard Time",
"Bahia Standard Time",
"UTC-02",
"Mid-Atlantic Standard Time",
"Azores Standard Time",
"Cape Verde Standard Time",
"UTC",
"Morocco Standard Time",
"GMT Standard Time",
"Greenwich Standard Time",
"W. Europe Standard Time",
"Central Europe Standard Time",
"Romance Standard Time",
"Sao Tome Standard Time",
"Central European Standard Time",
"W. Central Africa Standard Time",
"Jordan Standard Time",
"GTB Standard Time",
"Middle East Standard Time",
"Egypt Standard Time",
"E. Europe Standard Time",
"Syria Standard Time",
"West Bank Standard Time",
"South Africa Standard Time",
"FLE Standard Time",
"Israel Standard Time",
"Kaliningrad Standard Time",
"Sudan Standard Time",
"Libya Standard Time",
"Namibia Standard Time",
"Arabic Standard Time",
"Turkey Standard Time",
"Arab Standard Time",
"Belarus Standard Time",
"Russian Standard Time",
"E. Africa Standard Time",
"Iran Standard Time",
"Arabian Standard Time",
"Astrakhan Standard Time",
"Azerbaijan Standard Time",
"Russia Time Zone 3",
"Mauritius Standard Time",
"Saratov Standard Time",
"Georgian Standard Time",
"Caucasus Standard Time",
"Afghanistan Standard Time",
"West Asia Standard Time",
"Ekaterinburg Standard Time",
"Pakistan Standard Time",
"India Standard Time",
"Sri Lanka Standard Time",
"Nepal Standard Time",
"Central Asia Standard Time",
"Bangladesh Standard Time",
"Omsk Standard Time",
"Myanmar Standard Time",
"SE Asia Standard Time",
"Altai Standard Time",
"W. Mongolia Standard Time",
"North Asia Standard Time",
"N. Central Asia Standard Time",
"Tomsk Standard Time",
"China Standard Time",
"North Asia East Standard Time",
"Singapore Standard Time",
"W. Australia Standard Time",
"Taipei Standard Time",
"Ulaanbaatar Standard Time",
"Aus Central W. Standard Time",
"Transbaikal Standard Time",
"Tokyo Standard Time",
"North Korea Standard Time",
"Korea Standard Time",
"Yakutsk Standard Time",
"Cen. Australia Standard Time",
"AUS Central Standard Time",
"E. Australia Standard Time",
"AUS Eastern Standard Time",
"West Pacific Standard Time",
"Tasmania Standard Time",
"Vladivostok Standard Time",
"Lord Howe Standard Time",
"Bougainville Standard Time",
"Russia Time Zone 10",
"Magadan Standard Time",
"Norfolk Standard Time",
"Sakhalin Standard Time",
"Central Pacific Standard Time",
"Russia Time Zone 11",
"New Zealand Standard Time",
"UTC+12",
"Fiji Standard Time",
"Kamchatka Standard Time",
"Chatham Islands Standard Time",
"UTC+13",
"Tonga Standard Time",
"Samoa Standard Time",
"Line Islands Standard Time"
],
"metadata": {
"description": "Pick the timezone to use for the function"
}
}
},
"variables": {
"hostingPlanName": "[parameters('functionAppName')]",
"storageAccountName": "[concat('storage', uniquestring(resourceGroup().id))]"
},
"resources": [
{
"name": "[parameters('functionAppName')]",
"type": "Microsoft.Web/sites",
"apiVersion": "2018-02-01",
"location": "[parameters('location')]",
"kind": "functionapp",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms/', variables('hostingPlanName'))]",
"[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",
"[resourceId('microsoft.insights/components/', parameters('functionAppName'))]"
],
"identity": {
"type": "SystemAssigned"
},
"properties": {
"siteConfig": {
"appSettings": [
{
"name": "FUNCTIONS_WORKER_RUNTIME",
"value": "[parameters('runtimeStack')]"
},
{
"name": "AzureWebJobsStorage",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2017-06-01').keys[0].value)]"
},
{
"name": "FUNCTIONS_EXTENSION_VERSION",
"value": "~2"
},
{
"name": "APPINSIGHTS_INSTRUMENTATIONKEY",
"value": "[reference(resourceId('microsoft.insights/components/', parameters('functionAppName')), '2018-05-01-preview').InstrumentationKey]"
},
{
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')),'2017-06-01').keys[0].value)]"
},
{
"name": "WEBSITE_CONTENTSHARE",
"value": "[toLower(parameters('functionAppName'))]"
},
{
"name": "WEBSITE_TIME_ZONE",
"value": "[parameters('timezone')]"
}
]
},
"name": "[parameters('functionAppName')]",
"clientAffinityEnabled": false,
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', variables('hostingPlanName'))]"
}
},
{
"type": "Microsoft.Web/serverfarms",
"apiVersion": "2018-11-01",
"name": "[variables('hostingPlanName')]",
"location": "[parameters('location')]",
"properties": {
"name": "[variables('hostingPlanName')]"
},
"sku": {
"name": "Y1",
"tier": "Dynamic",
"size": "Y1",
"family": "Y",
"capacity": 0
}
},
{
"apiVersion": "2017-06-01",
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageAccountName')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_LRS"
}
},
{
"apiVersion": "2018-05-01-preview",
"name": "[parameters('functionAppName')]",
"type": "Microsoft.Insights/components",
"location": "[parameters('ApplicationInsightsLocation')]",
"tags": {
"[concat('hidden-link:', resourceId('Microsoft.Web/sites/', parameters('functionAppName')))]": "Resource"
},
"properties": {
"ApplicationId": "[parameters('functionAppName')]"
}
}
],
"outputs": {
"principalId": {
"type": "string",
"value": "[reference(concat(resourceId('Microsoft.Web/sites/', parameters('functionAppName')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2015-08-31-PREVIEW').principalId]"
}
}
}
9 changes: 9 additions & 0 deletions 101-functions-managed-identity/azuredeploy.parameters.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"functionAppName": {
"value": "GEN-UNIQUE"
}
}
}
10 changes: 10 additions & 0 deletions 101-functions-managed-identity/metadata.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#",
"type": "QuickStart",
"itemDisplayName": "Creates a function app with managed service identity.",
"description": "Creates a function app with managed service identity enabled with Application Insights set up for logs and metrics.",
"summary": "Creates a function app with managed service identity.",
"githubUsername": "eamonoreilly",
"dateUpdated": "2019-02-08"
}

0 comments on commit deede3b

Please sign in to comment.