1

I am attempting to use a managed identity to grant permission for my c# app to write to storage account table storage. Based on this documentation, I am able to use an Azure AD managed identity to grant access from the function app to my storage account. I have granted all permissions required for this documented here. I am using the TableServiceClient to get access to the table in my code.

string storageAccountName = Environment.GetEnvironmentVariable("STORAGE_ACCOUNT_NAME");
Uri tableUri = new Uri(string.Format("https://{0}.table.core.windows.net/", storageAccountName));
services.AddScoped(x => new TableServiceClient(tableUri, new DefaultAzureCredential()));

So with

  1. Proper roles added to managed identity on function app
  2. Retrieval of azure credentials within function app pointed at the proper table URI

I would expect that I could access the table in my storage account, but instead I receive the following error

2022-10-06T08:11:48.500 [Error] Executed 'MyFunc' (Failed, Id=<myfailureid>, Duration=1882ms)Server failed to authenticate the request. Please refer to the information in the www-authenticate header.RequestId:<requestId>Time:2022-10-06T08:11:48.3870421ZStatus: 401 (Server failed to authenticate the request. Please refer to the information in the www-authenticate header.)ErrorCode: InvalidAuthenticationInfoContent:{"odata.error":{"code":"InvalidAuthenticationInfo","message":{"lang":"en-US","value":"Server failed to authenticate the request. Please refer to the information in the www-authenticate header.\nRequestId:<requestId>\nTime:2022-10-06T08:11:48.3870421Z"}}}Headers:Server: Microsoft-HTTPAPI/2.0x-ms-request-id: <ms-request-id>x-ms-error-code: REDACTEDWWW-Authenticate: Bearer authorization_uri=https://login.microsoftonline.com/<subscription id>/oauth2/authorize resource_id=https://storage.azure.comDate: Thu, 06 Oct 2022 08:11:47 GMTContent-Length: 279Content-Type: application/json

I am just trying to remove some connection strings from my function app, and I realize that right now using a managed identity for complete access to the storage account is basically unworkable if you ever want to deploy without switching to using a URL in WEBSITE_RUN_FROM_PACKAGE, which MS strongly recommends against, but I was at least hoping I could use managed identity for accessing tables and blobs from within my code.

This seems like very basic level access requirements, so I assume I'm doing something wrong. Any guidance on this would be greatly appreciated

Jake Boomgaarden
  • 3,394
  • 1
  • 17
  • 31

1 Answers1

0

I found the answer before posting, but I wanted to share this incase anyone else runs into this issue.

The problem was that Azure grabs permissions based on a hierarchy of potential places, shown here. I have the AZURE_CLIENT_ID variable set already, so it defaults to use that permission if I use DefaultAzureCredential. So I then found documentation for ManagedIdentityCredential class, which avoids this chain of permission hierarchy searching and instead uses a specific identity clientID. Then using the constructor for using a user assigned identity and giving it the clientId found on the Managed Identity overview, it successfully read my permissions and worked.

Jake Boomgaarden
  • 3,394
  • 1
  • 17
  • 31
  • Is there a code snippet you can show? Do I pass the ManagedIdentityCredential anywhere after calling the constructor? – Scott Nimrod Mar 09 '23 at 15:17
  • Here's another SO article that has the proper usage of the credential in the question. https://stackoverflow.com/questions/69537388/azure-storage-account-authenticate-using-managed-identity-and-c-sharp. You just need to pass it in when creating your service client or whatever you might be doing. – Jake Boomgaarden Mar 10 '23 at 12:55