Logic Apps (Standard) - Managed Identity practical usage in VS Code

[erwinkramer]

When in Visual Studio code, and using Managed Identity somewhere in your workflow, for instance, on a HTTP action, the following error will display while debugging:

Workflow Error: operationName='WorkflowDefinitionProvider.ProcessWorkflow', message='Workflow 'workflow-inbound-dynamic-action' validate and create workflow operation failed, 
the exception is 'The operation 'HTTP' for workflow 'workflow-inbound-dynamic-action' contains managed identity authentication which is supported only for Logic Apps Standard or Logic Apps running in App Service Environments.'', 
exception='Microsoft.Azure.Workflows.Common.ErrorResponses.ErrorResponseMessageException: 
The operation 'HTTP' for workflow 'workflow-inbound-dynamic-action' contains managed identity authentication which is supported only for Logic Apps Standard or Logic Apps running 
in App Service Environments.

Will this be supported somehow? This currently means you cannot debug your project when you use a Managed Identity somewhere in a workflow. Not very practical. I guess I understand why it's not working, because I'm not running it inside Azure, but locally.

As an alternative approach: Wouldn't implementing DefaultAzureCredential inside Logic Apps (standard) be a better option? That way you are not dependent on credentials on a specific environment.

Another approach: Able to point to a deployed managed identity, similar as how you point to a resource group for API connections (WORKFLOWS_RESOURCE_GROUP_NAME), inside the local.settings.json, so it will try to authenticate with that.

[shailesh-agre]

@erwinkramer This is by design limitation. Though product group is looking for options - there may be enhancements in future.
You may also create a feature request by providing feedback at https://feedback.azure.com/forums/287593-logic-apps

[chrisgrech]

Getting the same error. Are there any alternatives to this or is Managed Itentity still not usable from a local enviornment?

[John-Bosch]

This is a real limitation that needs to be fixed. The whole point of managed identities is to not need to manage the App Registrations. This is now forcing us back down the path of not using managed identities at all if we want to be able to debug locally.

[magohl]

I also find this behavior very limiting as testing Logic Apps with Managed Identities locally require code changes.

As proposed by @erwinkramer above a nice solution would be that the Http action use DefaultAzureCredential which already 'under the hood' first try EnvironmentCredential followed by ManagedIdentityCredential in sequence.

This would then work exactly as an Azure Function with DefaultAzureCredential where you just set AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID in local.settings.json and the same code work both locally and deployed.

If backward compatibility would be an issue maybe a new Authentication Type in the Http action could be introduced.

[github-actions]

This issue is stale because it has been open for 30 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 7 days since being marked as stale.