Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
707 questions
Event Hub Trigger with Managed Identity not reading events
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 34%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Serdar ARIKAN
25
Reputation points
I have created an Azure Event Hub and an Azure Function with a system-assigned Managed Identity. The Managed Identity has been granted the following roles on the Event Hub: "Azure Event Hubs Data Sender", "Azure Event Hubs Data Receiver", "Azure Event Hubs Data Owner". I have configured the following app settings:
-
EVENTHUB_NAME: my_eventhub_name -
EventHubConnection__fullyQualifiedNamespace: my_eventhub_namespace.servicebus.windows.net
Here is the code to write to the Event Hub, which works fine when invoked via HTTP trigger:
import azure.functions as func
import json
import logging
import os
from azure.eventhub import EventHubProducerClient, EventData
from azure.identity import DefaultAzureCredential
app = func.FunctionApp()
# Debugging to check environment variables
logging.info(f"EventHubConnection__fullyQualifiedNamespace: {os.environ.get('EventHubConnection__fullyQualifiedNamespace')}")
logging.info(f"EVENTHUB_NAME: {os.environ.get('EVENTHUB_NAME')}")
EVENTHUBNAMESPACE = os.environ["EventHubConnection__fullyQualifiedNamespace"]
EVENTHUBNAME = os.environ["EVENTHUB_NAME"]
credential = DefaultAzureCredential()
@app.function_name(name="myfunc1")
@app.route(route="myfunc1", auth_level=func.AuthLevel.FUNCTION)
def dora(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
try:
event_data = req.get_json()
event_json = json.dumps(event_data)
producer = EventHubProducerClient(
fully_qualified_namespace=EVENTHUBNAMESPACE,
eventhub_name=EVENTHUBNAME,
credential=credential,
)
with producer:
event_data_batch = producer.create_batch()
event_data_batch.add(EventData(event_json))
producer.send_batch(event_data_batch)
return func.HttpResponse(f"Message '{event_json}' sent successfully to Event Hub.", status_code=200)
except ValueError:
return func.HttpResponse("Please pass a valid JSON in the request body with a 'message' key.", status_code=400)
except Exception as e:
logging.error(f"Error sending message: {str(e)}")
return func.HttpResponse(f"Error sending message: {str(e)}", status_code=500)
However, when I deploy the following Event Hub trigger function, it does not read any events unless I replace EventHubConnection__fullyQualifiedNamespace with a connection string in the app settings:
import azure.functions as func
import json
import logging
import os
from azure.eventhub import EventHubProducerClient, EventData
from azure.identity import DefaultAzureCredential
app = func.FunctionApp()
# Debugging to check environment variables
logging.info(f"EventHubConnection__fullyQualifiedNamespace: {os.environ.get('EventHubConnection__fullyQualifiedNamespace')}")
logging.info(f"EVENTHUB_NAME: {os.environ.get('EVENTHUB_NAME')}")
EVENTHUBNAMESPACE = os.environ["EventHubConnection__fullyQualifiedNamespace"]
EVENTHUBNAME = os.environ["EVENTHUB_NAME"]
credential = DefaultAzureCredential()
@app.function_name(name="eventhub")
@app.event_hub_message_trigger(
arg_name="azeventhub",
event_hub_name="EVENTHUB_NAME",
connection="EventHubConnection__fullyQualifiedNamespace",
consumer_group="function",
cardinality="one"
)
def eventhub_trigger(azeventhub: func.EventHubEvent):
logging.info('Python EventHub trigger processed an event: %s',
azeventhub.get_body().decode('utf-8'))
What could be causing the Event Hub trigger function to fail when using Managed Identity, and how can I resolve this?
Thank you.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 59%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
JananiRamesh-MSFT 27,836 Reputation points2024-07-25T12:17:02.8233333+00:00 @Serdar ARIKAN Thanks for reaching out. I tried creating function with Event Hub Trigger using system Managed Identity and i am able to read the events successfully as shown below
as per this doc https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=blob&pivots=programming-language-csharp#common-properties-for-identity-based-connections could you please try adding the below in app settings
EventHubConnection__credential = "managedidentity"also refer this blog it has similar steps https://techcommunity.microsoft.com/t5/apps-on-azure-blog/how-to-setup-event-hub-trigger-for-azure-function-with-user/ba-p/3740599
do let me know if this works.
-
Serdar ARIKAN 25 Reputation points
2024-07-25T13:54:37.8366667+00:00 Hi @JananiRamesh-MSFT ,
Thank you for your response.
Could you please provide more details on the configuration based on my code ?I added EventHubConnection__credential = "managedidentity" in the app settings in Azure Function, but it still doesn't work.
My host.json :
{ "version": "2.0", "logging": { "applicationInsights": { "samplingSettings": { "isEnabled": true, "excludedTypes": "Request" } } }, "extensionBundle": { "id": "Microsoft.Azure.Functions.ExtensionBundle", "version": "[4.*, 5.0.0)" }, "extensions": { "eventHubs": { "maxEventBatchSize" : 10, "prefetchCount": 1, "batchCheckpointFrequency": 1, "transportType": "amqpWebSockets", "webProxy" : "https://proxyserver:8080", "clientRetryOptions":{ "mode" : "exponential", "tryTimeout" : "00:01:00", "delay" : "00:00:00.80" } } } }the main.py :
terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "~> 3.0" } } } provider "azurerm" { features {} } resource "azurerm_resource_group" "rg" { name = "demomanagedid" location = "West Europe" } resource "azurerm_eventhub_namespace" "ehn" { name = "demomanagedidehn" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name sku = "Standard" capacity = 1 } resource "azurerm_eventhub" "eh" { name = "demomanagedideh" namespace_name = azurerm_eventhub_namespace.ehn.name resource_group_name = azurerm_resource_group.rg.name partition_count = 2 message_retention = 1 } resource "azurerm_storage_account" "sa" { name = "demomanagedidsa" resource_group_name = azurerm_resource_group.rg.name location = azurerm_resource_group.rg.location account_tier = "Standard" account_replication_type = "LRS" } resource "azurerm_service_plan" "asp" { name = "demomanagedid-function-asp" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name os_type = "Linux" sku_name = "Y1" } resource "azurerm_application_insights" "ai" { name = "demomanagedid-appinsights" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name application_type = "web" } resource "azurerm_linux_function_app" "func" { name = "demomanagedidfunctionapp" location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name service_plan_id = azurerm_service_plan.asp.id storage_account_name = azurerm_storage_account.sa.name storage_account_access_key = azurerm_storage_account.sa.primary_access_key site_config { application_stack { python_version = "3.11" } } identity { type = "SystemAssigned" } app_settings = { "FUNCTIONS_WORKER_RUNTIME" = "python" "EVENTHUB_NAME" = azurerm_eventhub.eh.name "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.ai.instrumentation_key "EventHubConnection__fullyQualifiedNamespace" = "${azurerm_eventhub_namespace.ehn.name}.servicebus.windows.net" "EVENTHUB_CONNECTION" = "managedidentity" "EventHubConnection__credential" = "managedidentity" } } resource "azurerm_role_assignment" "ra_sender" { scope = azurerm_eventhub_namespace.ehn.id role_definition_name = "Azure Event Hubs Data Sender" principal_id = azurerm_linux_function_app.func.identity[0].principal_id } resource "azurerm_role_assignment" "ra_receiver" { scope = azurerm_eventhub_namespace.ehn.id role_definition_name = "Azure Event Hubs Data Receiver" principal_id = azurerm_linux_function_app.func.identity[0].principal_id } resource "azurerm_role_assignment" "ra_owner" { scope = azurerm_eventhub_namespace.ehn.id role_definition_name = "Azure Event Hubs Data Owner" principal_id = azurerm_linux_function_app.func.identity[0].principal_id }my function_app.py :
import azure.functions as func import json import logging import os from azure.eventhub import EventHubProducerClient, EventData from azure.identity import DefaultAzureCredential app = func.FunctionApp() # Debugging to check environment variables logging.info(f"EventHubConnection__fullyQualifiedNamespace: {os.environ.get('EventHubConnection__fullyQualifiedNamespace')}") logging.info(f"EVENTHUB_NAME: {os.environ.get('EVENTHUB_NAME')}") EVENTHUBNAMESPACE = os.environ["EventHubConnection__fullyQualifiedNamespace"] EVENTHUBNAME = os.environ["EVENTHUB_NAME"] credential = DefaultAzureCredential() @app.function_name(name="eventhub") @app.event_hub_message_trigger( arg_name="azeventhub", event_hub_name="EVENTHUB_NAME", connection="EventHubConnection__fullyQualifiedNamespace", consumer_group="function", cardinality="one" ) def eventhub_trigger(azeventhub: func.EventHubEvent): logging.info('Python EventHub trigger processed an event: %s', azeventhub.get_body().decode('utf-8'))
Sign in to comment
Sign in to answer