Function app using user assigned managed identity in backend but showing System managed identity in environment variables

Narendra Kandula 0 Reputation points
2024-06-17T08:15:41.7766667+00:00

The issue is that in function apps we are using Environment variables which sourced from a key vault using a user assigned managed identity. System assigned managed identities have been turned off, however the environment variables still show that the system assigned managed identity is being used to access the key vault.

 User's image

The Function Apps:

·       Are using User Managed Identities

·       Are NOT using System Assigned Identities.

·       Are configured to use the User Managed Identity for Key Vault Secret lookup

o   ie: "keyVaultReferenceIdentity": "/subscriptions/6705ce6c-074a-417f-bbe0-9a92f3452d51/resourceGroups/RBGKew-PROD-D365CE-Application-UKS-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/RBGKew-PROD-D365CE-FunctionApps-UKS-ID-001",

They are successfully retrieving the secrets, but the portal still indicates it is using SystemAssigned Identity when it is now.

As a work around we tried to manually update the key vault Identity with below command using PowerShell. The command ran successfully but UI didn't change yet. 

Update-AzFunctionApp -Name 'rbgkewprodd365cecardpayuksfa01' -ResourceGroupName 'RBGKew-PROD-D365CE-Application-UKS-RG' -IdentityType UserAssigned -IdentityID '/subscriptions/6705ce6c-074a-417f-bbe0-9a92f3452d51/resourceGroups/RBGKew-PROD-D365CE-Application-UKS-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/RBGKew-PROD-D365CE-FunctionApps-UKS-ID-001' -Force

User's image

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,166 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,542 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,249 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Deepanshukatara-6769 6,715 Reputation points
    2024-06-17T08:36:36.17+00:00

    Hi Narendar,

    The issue you're describing, where the Azure portal incorrectly indicates that a System Assigned Managed Identity is being used instead of a User Assigned Managed Identity, can be caused by a few factors. Here's a step-by-step approach to troubleshoot and resolve this issue:

    1.Clear and Redeploy Configuration:

    • Clear the current identity configuration and redeploy the settings to force an update.
    • You can use the Azure CLI to remove the existing User Managed Identity and reassign it:
    az webapp identity remove --name rbgkewprodd365cecardpayuksfa01 --resource-group RBGKew-PROD-D365CE-Application-UKS-RG --identities "" 
    
    
    

    2. Check for Portal UI Cache Issues:

    • Sometimes, the Azure Portal UI might have caching issues. Try logging out and logging back into the Azure Portal or using a different browser/incognito mode to see if the changes are reflected.

    3. Contact Azure Support:

    • If the issue persists after trying the above steps, consider reaching out to Azure Support for further assistance. They can provide deeper insights and potentially identify backend issues.

    Kindly check and let us know , if any further questions , please let us know

    please accept answer if it works for you

    Thanks

    Deepanshu

    0 comments No comments

  2. TP 82,576 Reputation points
    2024-06-17T09:25:26.4266667+00:00

    Hi Narendra,

    What you are seeing is normal (even though it is incorrect). In my experience the portal shows "System assigned managed identity" regardless of whether you are using System or User-assigned managed identity.

    When using user-assigned managed identity the important difference is you need to set keyVaultReferenceIdentity, which you have already done.

    If you are still concerned that somehow it is using system-assigned managed identity even though you've turned it off, you can turn on audit logging on your key vault and verify in logs that user-assigned identity is being used.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP