Quickstart: Configure Durable Functions with managed identity

Artikel
06/08/2024

A managed identity from the access management service Microsoft Entra ID allows your app to access other Microsoft Entra protected resources, such as an Azure Storage account, without handling secrets manually. The identity is managed by the Azure platform, so you do not need to provision or rotate any secrets. The recommended way to authenticate access to Azure resources is through using such an identity.

In this quickstart, you complete steps to configure a Durable Functions app using the default Azure Storage provider to use identity-based connections for storage account access.

Nota

Managed identity is supported in Durable Functions extension versions 2.7.0 and greater.

If you don't have an Azure account, create a free account before you begin.

Prerequisites

To complete this quickstart, you need:

An existing Durable Functions project created in the Azure portal or a local Durable Functions project deployed to Azure.
Familiarity running a Durable Functions app in Azure.

If you don't have an existing Durable Functions project deployed in Azure, we recommend that you start with one of the following quickstarts:

Local development

Use Azure Storage emulator

When developing locally, it's recommended that you use Azurite, which is Azure Storage's local emulator. Configure your app to the emulator by specifying "AzureWebJobsStorage": "UseDevelopmentStorage=true" in the local.settings.json.

Identity-based connections for local development

Strictly speaking, a managed identity is only available to apps when executing on Azure. However, you can still configure a locally running app to use identity-based connection by using your developer credentials to authenticate against Azure resources. Then, when deployed on Azure, the app will utilize your managed identity configuration instead.

When using developer credentials, the connection attempts to get a token from the following locations, in the said order, for access to your Azure resources:

A local cache shared between Microsoft applications
The current user context in Visual Studio
The current user context in Visual Studio Code
The current user context in the Azure CLI

If none of these options are successful, an error stating that the app cannot retrieve authentication token for your Azure resources shows up.

Configure runtime to use local developer identity

Specify the name of your Azure Storage account in local.settings.json, for example:

JSON

{
   "IsEncrypted": false,
   "Values": {
      "AzureWebJobsStorage__accountName": "<<your Azure Storage account name>>",
      "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated"
   }
}

Go to the Azure Storage account resource on the Azure portal, navigate to the Access Control (IAM) tab, and click on Add role assignment. Find the following roles:
- Storage Queue Data Contributor
- Storage Blob Data Contributor
- Storage Table Data Contributor
Assign the roles to yourself by clicking "+ Select members" and finding your email in the pop-up window. (This email is the one you use to log into Microsoft applications, Azure CLI, or editors in the Visual Studio family.)

Identity-based connections for app deployed to Azure

Enable managed identity resource

To begin, enable a managed identity for your application. Your function app must have either a system-assigned managed identity or a user-assigned managed identity. To enable a managed identity for your function app, and to learn more about the differences between the two types of identities, see the managed identity overview.

Assign access roles to the managed identity

Navigate to your app's Azure Storage resource on the Azure portal and assign three role-based access control (RBAC) roles to your managed identity resource:

Storage Queue Data Contributor
Storage Blob Data Contributor
Storage Table Data Contributor

To find your identity resource, select assign access to Managed identity and then + Select members

Screenshot showing access assignment to managed identity.

Add managed identity configuration to your app

Before you can use your app's managed identity, make some changes to the app settings:

In the Azure portal, on your function app resource menu under Settings, select Environment variables.
In the list of settings, find AzureWebJobsStorage and select the Delete icon.
Add a setting to link your Azure storage account to the application.

Use one of the following methods depending on the cloud that your app runs in:
- Azure cloud: If your app runs in global Azure, add the setting AzureWebJobsStorage__accountName that identifies an Azure storage account name. Example value: mystorageaccount123
- Non-Azure cloud: If your application runs in a cloud outside of Azure, you must add the following three settings to provide specific service URIs (or endpoints) of the storage account instead of an account name.
  - Setting name: AzureWebJobsStorage__blobServiceUri
    
    Example value: https://mystorageaccount123.blob.core.windows.net/
  - Setting name: AzureWebJobsStorage__queueServiceUri
    
    Example value: https://mystorageaccount123.queue.core.windows.net/
  - Setting name: AzureWebJobsStorage__tableServiceUri
    
    Example value: https://mystorageaccount123.table.core.windows.net/
You can get the values for these URI variables in the storage account information from the Endpoints tab.

Nota

If you are using Azure Government or any other cloud that's separate from global Azure, you must use the option that provides specific service URIs instead of just the storage account name. For more information on using Azure Storage with Azure Government, see the Develop by using the Storage API in Azure Government.
Finish your managed identity configuration (remember to click "Apply" after making the setting changes):
- If you use a system-assigned identity, make no other changes.
- If you use a user-assigned identity, add the following settings in your app configuration:
  - AzureWebJobsStorage__credential, enter managedidentity
  - AzureWebJobsStorage__clientId, get this GUID value from your managed identity resource
Nota

Durable Functions does not support managedIdentityResourceId when using user-assigned identity. Use clientId instead.

Sumber tambahan

Dokumentasi

Bindings for Durable Functions - Azure

How to use triggers and bindings for the Durable Functions extension for Azure Functions.
Function chaining in Durable Functions - Azure

Learn how to run a Durable Functions sample that executes a sequence of functions.
Quickstart: Create a Java Durable Functions app

Create and publish a Java Durable Functions app in Azure Functions. Choose manual setup, Maven, or Visual Studio Code.
Quickstart: Create a TypeScript Durable Functions app

Create and publish a TypeScript Durable Functions app in Azure Functions by using Visual Studio Code.
Task hubs in Durable Functions - Azure

Learn what a task hub is in the Durable Functions extension for Azure Functions. Learn how to configure task hubs.
Durable functions billing - Azure Functions

Learn about the internal behaviors of Durable Functions and how they affect billing for Azure Functions.
Durable Functions storage providers - Azure

Learn about the different storage providers for Durable Functions and how they compare
Create Durable Functions using the Azure portal

Learn how to install the Durable Functions extension for Azure Functions for portal development.

Latihan

Modul

Introduction to using Managed Identity to authenticate to Azure OpenAI with .NET - Training

How to implement role based access control and managed identity authentication to Azure OpenAI with .NET.

Pensijilan

Microsoft Certified: Azure Developer Associate - Certifications

Build end-to-end solutions in Microsoft Azure to create Azure Functions, implement and manage web apps, develop solutions utilizing Azure storage, and more.

Peristiwa

Bina Apl dan Ejen AI

17 Mac, 9 PTG - 21 Mac, 10 PG

Sertai siri perjumpaan untuk membina penyelesaian AI berskala berdasarkan kes penggunaan dunia sebenar dengan rakan pembangun dan pakar.

Daftar sekarang

Kongsi melalui