Share via

How can I automate authentication to my function app written in python with Microsoft Azure AD authentication when accessing from Azure Kubernetes Service on the same tenant?.

Dinesh Marimuthu 0 Reputation points
2024-11-08T16:44:45.9066667+00:00

I have a AKS cluster in my tenant on which I run some ETL jobs. Some of these jobs access the http trigger of an Azure function. Now to secure my function I added Azure AD authentication.

To access the Azure function:

I added the user identity of the agentnodepool as a contributor to the Azure function app

Inside my kubernetes code I updated the script as follows to access the Azure function

credential = ManagedIdentityCredential(client_id='myclientid')
token = credential.get_token("api://application ID URI")
headers = {"Authorization": f"Bearer {token.token}"}
response = requests.get(function_app_url, data=dataset, headers=headers)

I am able to generate a token but the request always fails with 401 unauthorized request error.

What am I doing wrong here? Would appreciate every help.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,909 questions
Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,447 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-11-11T10:17:37.8766667+00:00

    Hello @Dinesh Marimuthu

    Based on the information you provided, it looks like you are on the right track. However, there are a few things that you need to check to ensure that the authentication is working correctly.

    First, make sure that you have granted the correct permissions to the Managed Identity of your AKS cluster. You need to grant the Managed Identity the necessary permissions to access the Azure Function.

    You can do this by adding the Managed Identity as a Contributor to the Azure Function App.

    Second, make sure that you have configured the Azure Function App to accept requests from Azure AD. You can do this by following the steps mentioned in the Azure documentation here.

    Third, make sure that you are passing the correct audience parameter when requesting the token. The audience parameter should be set to the Application ID URI of the Azure Function App.

    You can find the Application ID URI in the Azure portal under the "Expose an API" section of the Azure AD App registration for your Azure Function App.

    Lastly, make sure that you are passing the token in the correct format in the Authorization header. The token should be prefixed with "Bearer " and passed in the Authorization header of the HTTP request. If you have checked all of the above and are still facing issues, you can try enabling diagnostic logging on the Azure Function App to get more information about the authentication failure.

    You can find more information about enabling diagnostic logging here.

    I hope that this response has addressed your query and helped you overcome your challenges. If so, please mark this response as Answered. This will not only acknowledge our efforts, but also assist other community members who may be looking for similar solutions.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.