Token expiry best practice in always on azure function

Question

Token expiry best practice in always on azure function

Anonymous

Hi,

I have an Azure http trigger function in an elastic premium function. This function connects to a mysql flexible server using a managed identity through a DefaultAzureCredential token.

These tokens last 60 to 90mn but my function may stay up for longer than that.

What is the best design practice to renew tokens:

wait for an exception and renew the connection pool
check at regular intervals, say every 50mn?
check at every connection request?

Thank you

Oury Ba-MSFT 20,931 Reputation points Microsoft Employee Moderator

2024-12-05T01:05:43.7133333+00:00
@Jean David Ruvini Thank you for reaching out.With its managed identity, an app can obtain tokens for Azure resources that are protected by Microsoft Entra ID, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application.

App Service and Azure Functions provide an internally accessible REST endpoint for token retrieval. The REST endpoint can be accessed from within the app with a standard HTTP GET, which can be implemented with a generic HTTP client in every language. For .NET, JavaScript, Java, and Python, the Azure Identity client library provides an abstraction over this REST endpoint and simplifies the development experience. Connecting to other Azure services is as simple as adding a credential object to the service-specific client.

A raw HTTP GET request uses the two supplied environment variables and looks like the following example:

HTTPCopy

GET

And a sample response might look like the following:

HTTPCopy

HTTP/1.1 200 OK Content-Type: application/json { "access_token": "eyJ0eXAi…", "expires_on": "1586984735", "resource": "https://vault.azure.net", "token_type": "Bearer", "client_id": "00001111-aaaa-2222-bbbb-3333cccc4444" }

This response is the same as the response for the Microsoft Entra service-to-service access token request. To access Key Vault, you will then add the value of access_token to a client connection with the vault.

https://techcommunity.microsoft.com/blog/adformysql/how-to-connect-to-azure-database-for-mysql-using-managed-identity-of-function-ap/1518196
Anonymous

2024-12-05T03:03:40.9566667+00:00
Thanks @Oury Ba-MSFT . I am using the Python SDK and didn't look into the REST API. Thanks for the information.

In Python, I use the following:

async with DefaultAzureCredential(managed_identity_client_id=os.environ.get("IDENTITY_ID")) as credential token_response: AccessToken = await credential.get_token( os.environ.get("END_POINT") )

Not sure if this is using the REST API internally...

From your sample REST call it seems that, as should be, the tokens obtained through REST do expire as well ("expires_on": "1586984735").

So, my question remains. What are the best practices regarding token management in a long standing azure function?

Thanks.

Accepted answer

1 additional answer

Your answer

Oury Ba-MSFT 20,931 Reputation points Microsoft Employee Moderator

2024-12-05T01:05:43.7133333+00:00

@Jean David Ruvini Thank you for reaching out.With its managed identity, an app can obtain tokens for Azure resources that are protected by Microsoft Entra ID, such as Azure SQL Database, Azure Key Vault, and Azure Storage. These tokens represent the application accessing the resource, and not any specific user of the application.

App Service and Azure Functions provide an internally accessible REST endpoint for token retrieval. The REST endpoint can be accessed from within the app with a standard HTTP GET, which can be implemented with a generic HTTP client in every language. For .NET, JavaScript, Java, and Python, the Azure Identity client library provides an abstraction over this REST endpoint and simplifies the development experience. Connecting to other Azure services is as simple as adding a credential object to the service-specific client.

A raw HTTP GET request uses the two supplied environment variables and looks like the following example:

HTTPCopy

GET

And a sample response might look like the following:

HTTPCopy

HTTP/1.1 200 OK Content-Type: application/json { "access_token": "eyJ0eXAi…", "expires_on": "1586984735", "resource": "https://vault.azure.net", "token_type": "Bearer", "client_id": "00001111-aaaa-2222-bbbb-3333cccc4444" }

This response is the same as the response for the Microsoft Entra service-to-service access token request. To access Key Vault, you will then add the value of access_token to a client connection with the vault.

https://techcommunity.microsoft.com/blog/adformysql/how-to-connect-to-azure-database-for-mysql-using-managed-identity-of-function-ap/1518196
Anonymous

2024-12-05T03:03:40.9566667+00:00

Thanks @Oury Ba-MSFT . I am using the Python SDK and didn't look into the REST API. Thanks for the information.

In Python, I use the following:

async with DefaultAzureCredential(managed_identity_client_id=os.environ.get("IDENTITY_ID")) as credential token_response: AccessToken = await credential.get_token( os.environ.get("END_POINT") )

Not sure if this is using the REST API internally...

From your sample REST call it seems that, as should be, the tokens obtained through REST do expire as well ("expires_on": "1586984735").

So, my question remains. What are the best practices regarding token management in a long standing azure function?

Thanks.

Answer 1

Hi @Jean David Ruvini ,

Thanks for reaching out.

The general practice is to refresh the token before it expires.

However, managed identity tokens are cached by the underlying Azure infrastructure for performance and resiliency purposes: the back-end services for managed identities maintain a cache per resource URI for around 24 hours.

When you are saying 60 to 90 min, could you please confirm this token has been generated using managed identity?

Tokens acquired via the App Authentication library currently are refreshed when less than 5 minutes remains until they expire. So, it caches the token for 23 hours 55 minutes in the default case.

The cache lifetime of the token issued by a Managed Identity endpoint is controlled by the service provider, and unfortunately it appears that there is no way to force the refresh.

For more information, see Limitation of using managed identities for authorization.

Hope this will help.

Thanks,

Shweta

Please "Accept the answer" if above answer helped you.

Anonymous

2024-12-05T17:18:21.2066667+00:00

@Shweta Mathur Thank you for your response. Yes, you are correct, the tokens are valid for 23h+.
Thank you for your help.

Answer 2

To manage token expiry effectively in your Azure HTTP trigger function, the best practice would be to check at every connection request. This approach allows you to ensure that you always have a valid token before making a connection to your MySQL flexible server. By checking the token's validity at the time of the request, you can avoid potential exceptions due to expired tokens and maintain a seamless connection.

Waiting for an exception to renew the connection pool can lead to downtime and degraded performance, while checking at regular intervals may not be efficient, especially if your function is under varying loads.

References:

Manage connections in Azure Functions

Share via

Token expiry best practice in always on azure function

1 additional answer

Your answer