stackoom
  简体   繁体   中英

Fetch Azure Managed Identity from within Function

 原文  2020-07-10 15:01:00       python/ arm/ azure-managed-identity

Question

I am using Azure Managed Identity feature for my python Azure Functions App and would like to be able to fetch currently assigned Client ID from within the Function App itself.

Search through documentation and azure-identity python sources did not give result I would expect.

Maybe I could:

  1. Query Azure Instance Metadata Service myself to get this ID. (not really happy with this option)
  2. Provision it as env variable during ARM deployment stage/ or by hands later on. (seems good and efficient, but not sure what is the best practice here)

UPDATE

Managed o get it working with ARM template and env variable

  1. Deploys FunctionApp with System Identity
  2. Provisions System Identity as env variable of this same FunctionApp

Idea is to use Microsoft.Resources/deployments subtemplate to update Function App configuration with:

{
    "name": "AZURE_CLIENT_ID",
    "value": "[reference(resourceId('Microsoft.Web/sites', variables('appName')), '2019-08-01', 'full').identity.principalId]"
},

1 answers

solution1
 0 ACCPTED  2020-07-13 01:14:24

The simplest option is to go to the identity tab for your Functions app, and turn on "System assigned managed identity". You can then get the access token without having to provide the client_id, since the token request simply picks the system assigned identity if there is one for the Function app.

If you are using "user assigned managed identity", then you need to provide the client_id: either through env or directly in your code.

You may already be aware, but just an additional note: that you also need to make sure you have given access to your managed identity for the resource you are accessing, for example: going to the Azure resource your Function app needs to access and assigning an appropriate role for your managed identity.

your option 1 (query Azure Instance Metadata Service), is only available on VMs.

UPDATE

Since you need the client_id for other purposes, you may also consider reading it from the response to your request for the access token: client_id is one of the parameters in the JSON token returned to you along with the access token, and its value is the client_id of the managed identity you used (in your case, the system-assigned managed identity)

Here is a sample token response to illustrate this:

 {
  access_token: <...>,
  resource: <...>,
  token_type: 'Bearer',
  client_id: <client_id of the managed identity used to get this token>
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Error Getting Managed Identity Access Token from Azure Function How to use User-Managed Identity from Azure Cloud Function (python) in making a request to Azure KeyVault? Stuck with azure function app in python using managed identity Migrate Python ADAL Custom Metrics Azure Function to support Managed Identity Accessing Azure SQL Server using 1) Python (local script--not going to be Azure function), 2) pyodbc & 3) Azure user-managed identity How to access Azure storage account from VM using Python and managed identity / SAS credentials How to connect to Azure SQL Server using Managed Service Identity from Django application in my local laptop How is the access token generated from a managed identity in Azure used with the Python SDK? Python Function App connections using managed identity Connect Function App to CosmosDB with Managed Identity
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM