Connect Azure Static Web App API (Python) to Azure SQL Database using Managed Identity

Question

I have an Azure Static Web App. I'm attempting to add a Python API which connects to an Azure SQL Database. I'm trying to use "Managed Identity" for authentication, and hitting some issues.

The current exception I am seeing in Application Insights is:

Azure.Identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. No response received from the managed identity endpoint. ---> System.Threading.Tasks.TaskCanceledException: The operation was canceled.
  at Azure.Core.CancellationHelper.ThrowOperationCanceledException(Exception innerException, CancellationToken cancellationToken)
  at Azure.Core.CancellationHelper.ThrowIfCancellationRequested(CancellationToken cancellationToken)
  at Azure.Core.Pipeline.ResponseBodyPolicy.ThrowIfCancellationRequestedOrTimeout(CancellationToken originalToken, CancellationToken timeoutToken, Exception inner, TimeSpan timeout)
  at Azure.Core.Pipeline.ResponseBodyPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory, Boolean async)
  at Azure.Core.Pipeline.LoggingPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory, Boolean async)
  at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory, Boolean async)
  at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory, Boolean async)
  at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory, Boolean async)
  at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
  at Azure.Identity.ImdsManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
  --- End of inner exception stack trace ---
  at Azure.Identity.ImdsManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
  at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
  at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)

Both the Static Web App and the SQL Server (not the database - the option doesn't appear to be there on the DB?) have system-assigned identities. The SQL Server has the "Allow Azure services and resources to access this server" ticked in networking (I also tried with a 0.0.0.0->255.255.255.255 firewall rule - no change). I think I've added the Static Web App user into the SQL DB.

SELECT r.name role_principal_name, m.name AS member_principal_name, m.type_desc AS user_type
FROM sys.database_role_members rm 
JOIN sys.database_principals r 
    ON rm.role_principal_id = r.principal_id
JOIN sys.database_principals m 
    ON rm.member_principal_id = m.principal_id;

role_principal_name - member_principal_name        - user_type
db_owner            - dbo                          - SQL_USER
db_datareader       - <"name" field from SWA JSON> - EXTERNAL_USER
db_datawriter       - <"name" field from SWA JSON> - EXTERNAL_USER

What am I missing to make this work?

Answer 1

Hi Robert,

Based on the exception you are seeing, it is unable to obtain a token from the IMDS endpoint. This might be caused by running it as managed function.

Please switch to running your Python API in separate function app as "Bring your own Functions" with managed identity and test again. According to documentation managed identity isn't supported under Managed Functions:

Please click Accept Answer and upvote if the above was useful. If you still need assistance add a comment below.

Thanks.

-TP