I am creating an Azure function using Azure portal. I added trigger and trying to add connection to service bus ( I am adding Azure service bus topic trigger). When I try to add connection string I am only seeing one option called RootManagedSharedAccessKey. I do not want to connect using shared access key. Instead I want to use managed identity. But that option is not at all available. See attached image fore more information. I have already added Managed Identity to Azure function app.
How can I configure function to use managed identity ? I am not deploying\creating function using Visual Studio. I am just using Azure Portal.
Create a managed identity and you need to addAzure role assignments by clicking on add role assignment as below:
Azure Service Bus Data Receiver
Azure Service Bus Data Owner
Now in Service Bus also, You need to assign the same roles whichever given for your managed identity as below:
Service Bus ->Access Control(IAM) -> Add role assignment
After assigning the managed identities, it should reflect in your Service Bus as shown here.
Now create a function in function app by triggering the Azure Service Bus Topic Trigger with the help of managed identity.
Reference link
Related
I am creating an Azure function using Azure portal. I added trigger and trying to add connection to service bus ( I am adding Azure service bus topic trigger). When I try to add connection string I am only seeing one option called RootManagedSharedAccessKey. I do not want to connect using shared access key. Instead I want to use managed identity. But that option is not at all available. See attached image fore more information. I have already added Managed Identity to Azure function app.
How can I configure function to use managed identity ? I am not deploying\creating function using Visual Studio. I am just using Azure Portal.
Create a managed identity and you need to addAzure role assignments by clicking on add role assignment as below:
Azure Service Bus Data Receiver
Azure Service Bus Data Owner
Now in Service Bus also, You need to assign the same roles whichever given for your managed identity as below:
Service Bus ->Access Control(IAM) -> Add role assignment
After assigning the managed identities, it should reflect in your Service Bus as shown here.
Now create a function in function app by triggering the Azure Service Bus Topic Trigger with the help of managed identity.
Reference link
I have an app service that needs to connect to Azure Key Vault to obtain Storage and Cosmos DB connection strings. The same application also needs to use service principal name (with client id and secret) to connect directly to a SQL PaaS instance (not via Azure Key Vault). Can I use one single service principal for both?
Can I use one single service principal for both?
Sure you can. As long as Service Principal as appropriate permissions to access both Azure Key Vault and SQL Database, it should be able to access these resources.
The key thing here is that your Service Principal must be assigned appropriate RBAC roles. For example, if you assign your Service Principal a Contributor role in an Azure Subscription, then you can manage all resources of your Azure Subscription (except role assignment) using that Service Principal.
In Azure DevOps, I have created a service connection (type: Azure Resource Manager) to be able to upload files to Azure Blob Storage.
Then I have added the Storage Blob Data Contributor role for this service principal under Access Control (IAM) in my Azure Storage account by searching for the service principal's name under Select.
I have noticed that each time I create a new DevOps pipeline that uses the (same) service connection, I need to add the Storage Blob Data Contributor role again because under Select, there are then multiple items with the same (service principal's) name. It's not clear why there are multiple items and it's also unclear which one is the newest, such that I am just adding all items as a workaround.
Is there anything that I am missing to avoid ending up with dozens of items to select when assigning roles for a new pipeline that uses the same service connection?
As design, one service connection map to one single service principal.
You issue mostly like you did not ever assign the actual service principal id to that service connection while you configure it. When the system finds there is no principal there, it will automatically create one for it in azure.
Please give the full parameters value there, including service principal id and secret, when you create the service connection.
Then you can just grant the permission to the currently used service principal.
I am developing some Provider Hosted add-ins for my SharePoint online tenant, and the Provider Hosted add-ins contain WCFs to implement Remote Event Receivers. Now I know that inside Azure subscription account, i can create a new Service Bus, to use it inside my visual studio projects, for debugging and testing my remote event receivers and workflows. For example inside my Azure web portal i have created this service bus:-
then inside the visual studio's Provider Hosted add-ins Project i entered the service bus information, as follow:-
This allowed me to debug and test my Remote Event Receivers code (actually i did not find any other way to debug my Remote Event Receivers, rather than specifying an Azure Service Bus). now my question is, if we chose to have an Azure Virtual Machine, instated of Azure subscription. will we still be able to create an Azure service bus or similar functionality inside IIS? or this option is only provided as part of Azure subscription account?
If the answer, is No (i can not create a service bus inside Azure VM), then is there a way i can debug and test my Remote Event Receivers code, without using Azure service BUS?
Thanks
Azure Service Bus is a hostess on azure service. You can't "create" or "emulate" it on premises or VM.
if we chose to have an Azure Virtual Machine, instated of Azure subscription. will we still be able to create an Azure service bus inside IIS? or this option is only provided as part of Azure subscription?
Through Azure subscription you get access to services and they're resources. Such as VMs and Azure Service Bus. To use a VM you don't have to use Azure subscription as you could soon one on your machine if you'd like. But you can't run your own Service Bus. IIS or not. For that you'll need to have an acute subscription and create a namespace under Service Bus.
If the answer, is No (i can not create a service bus inside Azure VM), then is there a way i can debug and test my Remote Event Receiver, without using Azure service BUS??
As mentioned above, you could use a namespace for testing purposes from a VM as long as that VM has access to the internet.
We have a VSTS Azure Resource Manager Service Endpoint that uses a Service Principal to connect to Azure. This service principal was created manually. I was wondering if this service principle is impacted by the Azure AD signing key roll over and whether it will handle it automatically.
If you are using a service principal created through VSTS, there shouldn't be a problem. If it's created another way, you'll want to check this article from the Azure team about the rollover.