Function App supports to integrate Managed Identities to connect to resources that support Azure Active Directory (Azure AD) authentication. There are two types of Managed Identities: System-assigned and User-assigned. However, customer would choose User-assigned Managed Identity when the use case is like the workloads that run on multiple resources and can share a single identity or the workloads where resources are recycled frequently, but permissions should stay consistent. In this blog, we're going to introduce how to assign a User-Assigned Managed Identity (MI) to Function App that use Azure AD for authorization to access Event Hub resource in Event Hub trigger.
1. Please read following documents for basic concept.
From these documents above, we learn below things: Azure Function App provide several trigger bindings such as Event Hub trigger, Service Bus Queue trigger, Blob Storage trigger and so on. A trigger defines how a function is invoked and generally provides the payload of the function.
When configuring the trigger binding, we need to authorize Function App's access to resources. For example, authorizing access to Event Hubs resources can be done by the following security constructs: shared access signature (SAS) or Azure Active Directory (Azure AD).
2. Create Event Hubs namespace and Event Hub (Entity) from Portal.
3. Create User-Assigned MI from Portal.
4. Create Function App from Portal. (Choose .NET runtime stack as sample)
After we completed the prerequisites, there are several settings need to be configured.
1. Add Event Hub roles in User-Assigned MI.
For the Event Hub trigger binding, we need to assign corresponding built-in roles when using Event Hubs extension in normal operation. The built-in roles are "Azure Event Hubs Data Receiver" and "Azure Event Hubs Data Owner".
After roles assigned, we can see there are two roles assignment in Event Hubs Namespace's IAM.
2. Add Event Hub trigger in Function App. (Choose C# script function as sample, which is supported for C# portal editing)
Please set Event Hub connection with "Custom App Setting". (Key: connection ; Value: EventHubConnection)
After Event Hub trigger created, the Event Hub connection of function.json will be "connection": "EventHubConnection".
(Please remember to modify the value of "eventHubName" to the target EventHub)
*Please note that the version of extension bundle should be 3.3.0 or later in host.json. This version is supported to connect using an identity instead of secret (ex: SAS).