-1

We have an azure function app that uses a system assigned managed identity to access resources.

I have not found a way to use this system assigned identity when deploying the function app via devops. e.g.

  • deploy the function app.
  • enable the system assigned identity.
  • grant function app access to key vault with the system assigned managed identity.

is this a case where the system assigned identity simply does not work and i need to create one manually ?

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
wilson_smyth
  • 1,202
  • 1
  • 14
  • 39
  • This can be performed using terraform. Do you seek for a way using only Azure DevOps `YML tasks` and `az cli` ? – GeralexGR Jun 21 '22 at 13:57
  • Are you talking about deploying the *function app* (i.e. the actual application code), or creating and managing the *Azure infrastructure* (i.e. the Azure resources)? – Daniel Mann Jun 21 '22 at 16:24
  • Hi Wilson, any update on this, have you checked my answer? Does it answer your question – Bowman Zhu-MSFT Jun 27 '22 at 08:38
  • Hi. The request was info on how to deploy a function app, including its user assigned managed idenitity, which the func app uses to access Key Vault. I compromised,. the managed identity is now part of the infrastructure that has to exist before/outside of devops. i then have a config setting in the function app ARM template that contains the managed identity clientID that is deployed. Probably not the correct way, but it works and is sufficient until i find a better way of doing this. thanks for the advice & expertise. – wilson_smyth Jun 28 '22 at 12:21

1 Answers1

0

First of all, if you want to deploy the function app via DevOps using managed identity created by the azure function, the answer is no.

See here:

https://learn.microsoft.com/en-us/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-to-a-vm-with-a-managed-service-identity

You are required to use a self-hosted agent on an Azure VM in order to use managed service identity.

Follow the steps above if you want to use manage identity to integrate with DevOps.

A system-assigned managed identity is enabled directly on an Azure service instance. When the identity is enabled in your azure function app service instance, Azure creates an identity for the azure function app instance in the Azure AD tenant that's trusted by the subscription of the instance. After the identity is created, the credentials are provisioned onto the azure function app instance.

You can find it in Enterprise applications of AAD.

enter image description here

enter image description here This application has nothing to do with the credentials required to deploy azure functions from DevOps.

The managed identity you create with the 'enable' button is mainly used to manage the access rights of the azure function app instance to other service instances in azure.

Bowman Zhu-MSFT
  • 4,776
  • 1
  • 9
  • 10