Grant Azure Function access to ARM REST API

Question

Earlier this year, I created an Azure Function which used the Azure REST API to copy a database programmatically. This worked, but has now stopped working for some reason.

To authenticate, the code in the Azure Function gets an auth token ...

var azureServiceTokenProvider = new AzureServiceTokenProvider();
var accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://management.azure.com/");
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);

There was something else we did in the Azure portal to give permissions to the Azure Function to do this. I remember choosing the Azure Function itself from a dropdown (I think in one of the Access Control (IAM) panels). Unfortunately, I can't remember what I did.

This has suddenly stopped working, and the Azure Function fails saying ...

Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried the following 4 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "D:\local\LocalAppData\.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
operable program or batch file.

Parameters: Connectionstring: [No connection string specified], Resource: https://management.azure.com/, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. get_user_name_failed: Failed to get user name
Inner Exception : The format of the specified domain name is invalid

The callstack shows that it's erroring in the AzureServiceTokenProvider.GetAccessTokenAsync() from my code snippet above.

I haven't changed anything in code, but it's possible that someone else on the team has recreated stuff in Azure - causing whatever we did in the portal (mentioned above) to need to be redone.

I also can't find the articles that I would have originally followed when doing this. Whichever IAM panel I go to (whether it be the subscription itself, or the sql server instance), I can choose Assign assess to Function App , but it always says No Function App in this resource group can be assigned access. .

Any ideas what I'm missing? How can I grant permission for a Function App to make resource manager REST requests to to database management?

Answer 1

According to your description, it seems that Azure function MSI is off. You could try to turn on the MSI function with Azure function Platform features.

If we want to operate the Azure Database, as you mentioned that we need to set IAM for Azure Database server to allow azure function to operate database resource.

If the MSI is on the Azure function，we could find the Azure function in the dropdownlist.

I also do a demo for it. I test list databases by server API . It works correctly on my side.