Slow MangedIdentity auth in Azure Functions

Question

Slow MangedIdentity auth in Azure Functions

Andrzej G 0

I wrote a function that reads a secret from Vault. It uses managed identity for auth with the vault. And looks like on the cold starts it is very slow to get ManagedIdentityToken, over 5 seconds. I tried dotnet and python and it is the same in both cases. here is dotnet code


        [Function("GetSecret")]
        public async Task<IActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post")] HttpRequest req)
        {
            _logger.LogInformation("Start");
            var secretClient = new SecretClient(vaultUri: new Uri("https://gustek-secret-vault.vault.azure.net/"), credential: new ManagedIdentityCredential());
            _logger.LogInformation("Getting secret");
            var secret = await secretClient.GetSecretAsync("test-secret");
            _logger.LogInformation("Got the secret");
            return new OkObjectResult($"The secret is {secret.Value.Value}");
        }

and logs

2024-02-04T12:25:51Z [Information] Executing 'Functions.GetSecret' (Reason='This function was programmatically called via the host APIs.', Id=d7188736-7ff9-467c-ae9f-fbaf83bf1341)
2024-02-04T12:25:52Z [Information] Start
2024-02-04T12:25:52Z [Information] Getting secret
2024-02-04T12:26:00Z [Information] Got the secret
2024-02-04T12:26:00Z [Information] Executing OkObjectResult, writing value of type 'System.String'.
2024-02-04T12:26:00Z [Information] Executed 'Functions.GetSecret' (Succeeded, Id=d7188736-7ff9-467c-ae9f-fbaf83bf1341, Duration=8926ms)

For python the code is:

def get_the_secret(key_vault_name: str, key_name: str) -> tuple:
    credential = ManagedIdentityCredential()
    logging.info("Creating key client")
    key_client = SecretClient(
        vault_url=f"https://{key_vault_name}.vault.azure.net/", credential=credential
    )
    logging.info("Created key client")
    secret = key_client.get_secret(key_name)
    logging.info("Got the secret")
    return secret.properties.content_type, secret.value

and in logs we can see time is spent at

2024-02-04 01:49:06.338
Request URL: 'http://localhost:8081/msi/token?api-version=REDACTED&resource=REDACTED' Request method: 'GET' Request headers: 'X-IDENTITY-HEADER': 'REDACTED' 'User-Agent': 'azsdk-python-identity/1.15.0 Python/3.11.7 (Linux-5.10.102.2-microsoft-standard-x86_64-with-glibc2.31)' No body was attached to the request
Information
2024-02-04 01:49:17.303
Response status: 200 Response headers: 'Content-Type': 'application/json; charset=utf-8' 'Date': 'Sun, 04 Feb 2024 01:49:17 GMT' 'Server': 'Kestrel' 'Transfer-Encoding': 'chunked' 'X-CORRELATION-ID': 'REDACTED'
Information

more logs for python https://gist.github.com/GustekDev/492a3018598cab33e92304996aab8d72 over 5s feels like very long, is that normal? Notice I am using ManagedIdentiyCredential explicity in both cases so it is not the issue of DefaultCredential trying different methods.

2 answers

Your answer

Answer 1

Anonymous

Hi @Andrzej G , this looks like it is due to the cold start of your Azure Function. During a cold start, the Azure Function runtime needs to initialize the environment and load the necessary dependencies, which can take some time.

In your case, it looks like the delay is caused by the ManagedIdentityCredential trying to obtain a token from Azure AD. This delay can be reduced by enabling the App Service Authentication feature in your Azure Function app. This feature allows your function app to use the same authentication settings as your App Service plan, which can help reduce the time it takes to obtain a token. Try enabling it by following these steps:

Go to your Azure Function app in the Azure portal.
Click on "Authentication / Authorization" under the "Platform features" section.
Turn on the "App Service Authentication" toggle.
Choose the appropriate authentication provider for your scenario (e.g. Azure Active Directory).
Configure the authentication provider settings as needed.
Save your changes.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Andrzej G 0 Reputation points

2024-02-06T15:48:41.53+00:00

I don't have "Platoform features" section. There is "Authentication" in "Settings" section but that seems to be a feature to setup Auth for the users of my app not for the app to auth with other services.
Anonymous

2024-02-28T19:35:40.98+00:00
My apologies @Andrzej G , you can try to use the ChainedTokenCredential to chain multiple credentials together. For example, you can chain ManagedIdentityCredential and AzureCliCredential together. The ChainedTokenCredential will try to get the token from the first credential in the chain, and it will fall back to the next credential if the first one fails. Here is an example of how to use ChainedTokenCredential:

var credential = new ChainedTokenCredential( new ManagedIdentityCredential(), new AzureCliCredential() ); var secretClient = new SecretClient(vaultUri: new Uri("https://gustek-secret-vault.vault.azure.net/"), credential: credential);

Please let me know if this helps.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Slow MangedIdentity auth in Azure Functions

2 answers

Your answer