Share via

What permissions are required to assign Managed Identities to Azure Resources?

hampton123 1,175 Reputation points
2023-08-09T18:37:51.7133333+00:00

I have developed an API that uploads and downloads files from my Storage account via an Azure Function. For security, I want to assign a Managed Identity to my Azure Function. With that, the Storage Account won't be able to be manipulated outside of the Azure Function. I referred to this resource and visited my resource group's access control (IAM) blade to add a role assignment. However, all the options are disabled, which leads me to believe that I lack the necessary permissions. Could you tell me which role do I need to assign to be able to assign Managed Identities to resources in my resource group?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,457 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,932 questions
Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,538 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
978 questions
0 comments
Accepted answer
  1. navba-MSFT 27,550 Reputation points Microsoft Employee Moderator
    2023-08-10T03:03:24.9533333+00:00

    @hampton123 Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    I understand that you are unable to add a role assignment in your resource group's access control (IAM) blade, and you suspect that they lack the necessary permissions.

    To assign Managed Identities to Azure resources, you need to have the appropriate permissions. Specifically, you need to have the "Owner" or "User Access Administrator" role assigned to your account. These roles provide full access to all resources in the subscription, including the ability to create and manage Managed Identities.

    How to use Managed Identity to connect to Azure queue Storage from Azure Function?

    You need to first leverage v5.0 version of Microsoft.Azure.WebJobs.Extensions.Storage.Queues. This version introduces the ability to connect using an identity instead of a secret. For a tutorial on configuring your function apps with managed identities, see the creating a function app with identity-based connections tutorial.

    dotnet add package Microsoft.Azure.WebJobs.Extensions.Storage.Queues --version 5.0.0

    Once the above steps are followed, Your application may require additional permissions based on the code you write. You need to have the below RBAC permissions on Azure Storage for your Function APP.
    Trigger Storage Queue Data Reader, Storage Queue Data Message Processor
    Output binding Storage Queue Data Contributor, Storage Queue Data Message Sender

    Below settings are also needed in your json:

    "AzureWebJobsStorage__queueServiceUri": "https://mystorage.queue.core.windows.net/",
"AzureWebJobsStorage__credential": "managedidentity"

    References:
    https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-storage-queue?tabs=in-process%2Cextensionv5%2Cextensionv3&pivots=programming-language-csharp#install-extension

    Also refer : Azure Functions - use queue trigger with managed identity

    Hope this helps.

    ** Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.