Support Managed Identity authentication for Built-In Service Bus connector in VS Code

[mark-abrams]

This feature request is a result of the response provided for issue #708 .

I have a Standard Logic App that writes a message to an Azure Service Bus topic using the "Send Message" built-in connector. I want to use Managed Identity for the authentication from the Logic App to Service Bus so I no longer have to maintain the connection string in configuration. I have updated the connection.json to use Managed Identity:

"service-bus-int01": {
  "displayName": "service-bus-int01",
  "parameterValues": {
    "authProvider": {
      "Type": "ManagedServiceIdentity"
    },
   "fullyQualifiedNamespace": "@appsetting('ServiceBus-int01-FullyQualifiedNamespace')"
  },
  "serviceProvider": {
    "id": "/serviceProviders/serviceBus"
  }
}

And added this to the local.settings.json:

"ServiceBus-int01-FullyQualifiedNamespace": "my-servicebus-namespace.servicebus.windows.net"

This configuration works perfectly when the Logic App runs in Azure, but does not work when running in VS Code in a local development environment. When the "Send Message" action is run, I get this error in the run history:

ConnectionReferenceInvalid. The provided connection name 'service-bus-int01' for type 'ServiceProvider' has invalid 'authProvider' section. Managed identity is either not enabled or misconfigured on the Logic App. Please enable or repair managed identity before use.

I understand from the response to #708 that Managed Identity does not work when running locally, it only works when running on a Logic App resource in Azure. This approach is very poor because:

• I need to securely manage the Service Bus connection string in a development environment - the whole point of using Managed Identity is so that I can avoid managing the connection string
• My security design for Logic Apps running locally has diverged from the design for Logic Apps running in Azure and I want the design to be the same in both environments

So can you please update the Logic Apps (Standard) extension for VS code to support Managed Identity for the Service Bus built-in connector (and ideally all connectors where Managed Identity is supported in Azure). Azure functions triggers and bindings support Managed Identity (using the identity of the configured user in VS Code) so this can't be too hard to do?

[mark-abrams]

Hi @divyaswarnkar, @rohithah, is there any chance of this issue being fixed? It is really important that we have a consistent security approach for local development and Azure. Without this, we can't remove the use of Service Bus connection strings which is our security requirement.

[axiomitdavid]

On the Logic Apps Live YouTube from last week, I asked the question about support for Managed Identity in the VSCode designer. Apparently they are not going to be able to directly support it, but provide tools for swapping connector authentication in your deployment pipeline.

Not ideal, but better than having to either modify the workflow before deployment or do some type of hacky transform of the JSON yourself in the pipeline.