Azure Function activity in Data Factory works on debug, but not during trigger

Justin Yeary 0 Reputation points
2024-02-19T04:02:10.12+00:00

I have a Data Factory pipeline in which one of the activities calls an Azure Function that does some basic transformation on data to prepare for ingestion into copy activity. This function has no parameters being passed or anything of the sort. The function activity is merely meant to call the function, and all data transformation to include the loading of the file itself from blob storage, happens within the function. The function in question is an HTTP function, no authorization needed, the only authentication it uses is the function key stored in Azure Key Vault. Again, during debug mode there are no issues. But I am getting an error which states

Call to provided Azure function 'req' failed with status-'Unauthorized' while invoking 'POST' on 'https://MYFUNCTION.azurewebsites.net' and message - 'Invoking Azure function failed with HttpStatusCode - Unauthorized.'. I am not understanding why the activity runs perfectly fine in debug mode, but fails when its actually triggered in a live run. The function authorizes just fine during debug, but suddenly runs into an auth error when it is triggered. Any thoughts?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,874 questions
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
10,553 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Amira Bedhiafi 23,016 Reputation points
    2024-02-19T09:51:31.7366667+00:00

    I have a doubt that the service identity (managed identity) has the appropriate permissions to read secrets from Azure Key Vault. It should have at least the "Get" permission for secrets. This permission difference might not be evident during debug mode because the debug execution might be using a different authentication mechanism or permissions setup. One other doubt is there are maybe IP restrictions or VNEt integrations set up for your Azure Function, ensure that the Data Factory managed identity is allowed to communicate with the function. This might not affect debug runs if they are executed from a different network context.

    2 people found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.