Skip to content

Spike: Set the client id for functions configuration #8868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
davidfowl wants to merge 1 commit into from
Closed

Spike: Set the client id for functions configuration #8868

davidfowl wants to merge 1 commit into from
+9 −0

Conversation

@davidfowl
Copy link
Member

@davidfowl davidfowl commented Apr 18, 2025

Description

This pull request introduces changes to enhance Azure Functions integration by adding support for the clientId environment variable. The updates ensure that the clientId is correctly injected into the environment variables for Azure Functions projects when applicable.

Fixes #8116

Checklist

  • Is this feature complete?
    • Yes. Ready to ship.
    • No. Follow-up changes expected.
  • Are you including unit tests for the changes and scenario tests if relevant?
    • Yes
    • No
  • Did you add public API?
    • Yes
      • If yes, did you have an API Review for it?
        • Yes
        • No
      • Did you add <remarks /> and <code /> elements on your triple slash comments?
        • Yes
        • No
    • No
  • Does the change make any security assumptions or guarantees?
    • Yes
      • If yes, have you done a threat model and had a security review?
        • Yes
        • No
    • No
  • Does the change require an update in our Aspire docs?

@github-actions github-actions bot added the area-integrations Issues pertaining to Aspire Integrations packages label Apr 18, 2025
@davidfowl davidfowl mentioned this pull request Apr 18, 2025
Open
1 task
@davidfowl davidfowl requested a review from captainsafia April 18, 2025 07:03
davidfowl
davidfowl commented Apr 18, 2025
View reviewed changes
src/Aspire.Hosting.Azure.CosmosDB/AzureCosmosDBResource.cs
// Always inject the connection string associated with the top-level resource
// for the Azure Functions host.
target[$"{connectionName}__accountEndpoint"] = ConnectionStringExpression;
target[$"{connectionName}__clientId"] = default!;
Copy link
Member Author

@davidfowl davidfowl Apr 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a little hacky. Unclear if this signal is needed. We might be able to do something else like always set it in WithReference if it is harmless (we already always set AZURE_CLIENT_ID today anyways?)

cc @fabiocav @mattchenderson

Copy link
Contributor

@mattchenderson mattchenderson Apr 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should generally be harmless to just set it in WithReference() today, but it's probably worth building some defensiveness in here. I actually realize we forgot to prescribe something for this scenario: I believe we still need {connectionName}__credential: managedidentity, as that's the signal used to engage this when AZURE_CLIENT_ID is missing. I don't know if the KEDA logic cares there, but that is how Microsoft.Extensions.Azure expects things.

I'm imagining a situation in which someone themselves specifies {connectionName}__credential, set to something that gets added in the future. AZURE_CLIENT_ID likely would be mapped the same, but I don't know that it's guaranteed (and I'm thinking of cross-tenant with MI+FIC, specifically). I think the safest approach would be to check the credential type. If it's not unspecified or "managedidentity", we wouldn't want to assume {connectionName}__clientId has these semantics, or that it should be set at all. If the user goes custom here, they become responsible for the full suite of config for that custom approach.

Copy link
Member Author

@davidfowl davidfowl Apr 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if the KEDA logic cares there, but that is how Microsoft.Extensions.Azure expects things.

Are you pretty sure the KEDA doesn't support AZURE_CLIENT_ID?

Copy link
Contributor

@mattchenderson mattchenderson Apr 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was the case when we opened the issue, at least. I've not been made aware of any updates on that front if they did happen.

Copy link
Member Author

@davidfowl davidfowl Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should fix keda and make it respect AZURE_CLIENT_ID

@davidfowl davidfowl closed this May 7, 2025
@github-actions github-actions bot locked and limited conversation to collaborators Jun 6, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@captainsafia captainsafia Awaiting requested review from captainsafia captainsafia is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

1 more reviewer

@mattchenderson mattchenderson mattchenderson left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area-integrations Issues pertaining to Aspire Integrations packages

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implementors of IResourceWithAzureFunctionsConfig should set additional params for identity-based configuration.

2 participants

@davidfowl @mattchenderson