Background:
Function App supports to integrate Managed Identities to connect to resources that support Azure Active Directory (Azure AD) authentication. There are two types of Managed Identities: System-assigned and User-assigned. However, customer would choose User-assigned Managed Identity when the use case is like the workloads that run on multiple resources and can share a single identity or the workloads where resources are recycled frequently, but permissions should stay consistent. In this blog, we're going to introduce how to assign a User-Assigned Managed Identity (MI) to Function App that use Azure AD for authorization to access Event Hub resource in Event Hub trigger.
Prerequisites:
1. Please read following documents for basic concept.
- Triggers and bindings in Azure Functions | Microsoft Learn
- Secure Azure Functions with Event Hubs - Azure Architecture Center | Microsoft Learn
From these documents above, we learn below things:
Azure Function App provide several trigger bindings such as Event Hub trigger, Service Bus Queue trigger, Blob Storage trigger and so on. A trigger defines how a function is invoked and generally provides the payload of the function.
When configuring the trigger binding, we need to authorize Function App's access to resources. For example, authorizing access to Event Hubs resources can be done by the following security constructs: shared access signature (SAS) or Azure Active Directory (Azure AD).
2. Create Event Hubs namespace and Event Hub (Entity) from Portal.
3. Create User-Assigned MI from Portal.
4. Create Function App from Portal. (Choose .NET runtime stack as sample)
Setup steps:
After we completed the prerequisites, there are several settings need to be configured.
1. Add Event Hub roles in User-Assigned MI.
For the Event Hub trigger binding, we need to assign corresponding built-in roles when using Event Hubs extension in normal operation. The built-in roles are "Azure Event Hubs Data Receiver" and "Azure Event Hubs Data Owner".
After roles assigned, we can see there are two roles assignment in Event Hubs Namespace's IAM.
2. Add Event Hub trigger in Function App. (Choose C# script function as sample, which is supported for C# portal editing)
Please set Event Hub connection with "Custom App Setting". (Key: connection ; Value: EventHubConnection)
After Event Hub trigger created, the Event Hub connection of function.json will be "connection": "EventHubConnection".
(Please remember to modify the value of "eventHubName" to the target EventHub)
*Please note that the version of extension bundle should be 3.3.0 or later in host.json. This version is supported to connect using an identity instead of secret (ex: SAS).
(Guidance for developing Azure Functions | Microsoft Learn / Azure Event Hubs bindings for Azure Functions | Microsoft Learn)
3. Add User-Assigned MI in Function App.
4. Add three environment variables to Function App’s configuration from Portal.
- EventHubConnection__clientId = “{The client id of User-Assigned MI}”
- EventHubConnection__credential = “managedidentity”
- EventHubConnection__fullyQualifiedNamespace = “{Event Hubs namespace's host name}”
(The word “EventHubConnection” is based on the value of “connection” property in function.json)
*Please note that if the EventHubConnection__clientId isn't specified, the system-assigned identity will be used.
(Guidance for developing Azure Functions | Microsoft Learn)
Demo:
1.Event Hub Sender - Using ServiceBusExplorer tool to send events to Event Hub.
2.Event Hub Consumer - Event Hub trigger received the events successfully.
Congratulations! After these steps, you are now understanding how to setup Event Hub Trigger for Azure Function with User-Assigned Managed Identity to access Event Hub resource.
Hope this article is helpful for you and thank you for reading.
Reference:
1.Grant permission (Azure Roles) to the identity for each component such as Event Hubs, Service Bus, Azure Blobs and so on.
(Guidance for developing Azure Functions | Microsoft Learn)
2.Required Environment variables for Identity-based connections.
(Azure Event Hubs trigger for Azure Functions | Microsoft Learn / Guidance for developing Azure Functions | Microsoft Learn)
3.ServiceBusExplorer tool. (Releases · paolosalvatori/ServiceBusExplorer (github.com))
4.What are managed identities for Azure resources. (Managed identities for Azure resources - Microsoft Entra | Microsoft Learn)