|
| 1 | +--- |
| 2 | +title: "Configure Durable Functions with managed identity" |
| 3 | +description: Configure Durable Functions with managed identity |
| 4 | +author: naiyuantian |
| 5 | +ms.topic: quickstart |
| 6 | +ms.date: 07/08/2024 |
| 7 | +ms.author: azfuncdf |
| 8 | +--- |
| 9 | + |
| 10 | +# Configure Durable Functions with managed identity |
| 11 | + |
| 12 | +A managed identity from the access management service [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) allows your app to access other Microsoft Entra protected resources without handling secrets manually. The identity is managed by the Azure platform, so you do *not* need to provision or rotate any secrets. The recommended way to authenticate access to Azure resources is through using such an identity. In this article, we show how to configure a Durable Functions app that is using the default Azure Storage provider to use a managed identity to access the storage account. |
| 13 | + |
| 14 | +## Local development |
| 15 | + |
| 16 | +### Use Azure Storage emulator |
| 17 | +When developing locally, it's recommended that you use Azurite, which is Azure Storage's local emulator. You can configure your app to the emulator by specifying `"AzureWebJobsStorage": "UseDevelopmentStorage = true"` in the local.settings.json. |
| 18 | + |
| 19 | +### Identity-based connections for local development |
| 20 | + |
| 21 | +You can still use an identity-based connection for local development if you prefer. Strictly speaking, a managed identity is only available to apps when executing on Azure. When configured to use identity-based connections, a locally executing app will utilize your developer credentials to authenticate with Azure resources. Then, when deployed on Azure, it will utilize your managed identity configuration instead. |
| 22 | + |
| 23 | +When using your developer credentials, the connection attempts to get a token from the following locations, in the said order, for access to your Azure resources: |
| 24 | + |
| 25 | +- A local cache shared between Microsoft applications |
| 26 | +- The current user context in Visual Studio |
| 27 | +- The current user context in Visual Studio Code |
| 28 | +- The current user context in the Azure CLI |
| 29 | + |
| 30 | +If none of these options are successful, an error occurs. |
| 31 | + |
| 32 | +#### Configure runtime to use local developer identity |
| 33 | +1. Specify the name of your Azure Storage account in local.settings.json: |
| 34 | + ```json |
| 35 | + { |
| 36 | + "IsEncrypted": false, |
| 37 | + "Values": { |
| 38 | + "AzureWebJobsStorage__accountName": "<<your Azure Storage account name>>", |
| 39 | + "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated" |
| 40 | + } |
| 41 | + } |
| 42 | + ``` |
| 43 | +2. Go to the Azure Storage account resource on Azure Portal, navigate to the **Access Control (IAM)** tab, and click on **Add role assignment**. Find the following roles: |
| 44 | + * Storage Queue Data Contributor |
| 45 | + * Storage Blob Data Contributor |
| 46 | + * Storage Table Data Contributor |
| 47 | + |
| 48 | + Assign the roles to yourself by clicking "+ Select members" and finding your email in the pop-up window. (This email is the one you use to log into Microsoft applications, Azure CLI, or editors in the Visual Studio family.) |
| 49 | + |
| 50 | +  |
| 51 | + |
| 52 | +## Identity-based connections for app deployed to Azure |
| 53 | + |
| 54 | +Managed identity is supported in [Durable Functions extension](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.DurableTask) versions **2.7.0** and greater. |
| 55 | + |
| 56 | +### Prerequisites |
| 57 | + |
| 58 | +The following steps assume that you're starting with an existing Durable Functions app and are familiar with how to operate it. In particular, this quickstart assumes that you have already: |
| 59 | + |
| 60 | +* Deployed an app running in Azure that has Durable Functions. |
| 61 | + |
| 62 | +If this isn't the case, we suggest you start with one of the following articles, which provides detailed instructions on how to achieve all the requirements above: |
| 63 | + |
| 64 | +- [Create your first durable function - C#](durable-functions-create-first-csharp.md) |
| 65 | +- [Create your first durable function - JavaScript](quickstart-js-vscode.md) |
| 66 | +- [Create your first durable function - Python](quickstart-python-vscode.md) |
| 67 | +- [Create your first durable function - PowerShell](quickstart-powershell-vscode.md) |
| 68 | +- [Create your first durable function - Java](quickstart-java.md) |
| 69 | + |
| 70 | +### Enable managed identity resource |
| 71 | + |
| 72 | +Only one identity is needed for your function, either a **system assigned managed identity** or a **user assigned managed identity**. To enable a managed identity for your function application and learn more about the differences between the two identities, read the [detailed instructions](../../app-service/overview-managed-identity.md). |
| 73 | + |
| 74 | +### Assign Role-based Access Controls (RBAC) to managed identity |
| 75 | + |
| 76 | +Navigate to your app's Azure Storage resource on the Azure portal and [assign the following roles](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/how-to-assign-access-azure-resource) to your managed identity resource: |
| 77 | + |
| 78 | +* Storage Queue Data Contributor |
| 79 | +* Storage Blob Data Contributor |
| 80 | +* Storage Table Data Contributor |
| 81 | + |
| 82 | +You'll need to select assign access to "Managed identity" and then "+ Select members" to find your identity resource: |
| 83 | + |
| 84 | + |
| 85 | + |
| 86 | +### Add managed identity configuration to your app |
| 87 | + |
| 88 | +Navigate to your Azure Functions app’s **Configuration** page and perform the following changes: |
| 89 | + |
| 90 | +1. Remove the default value "AzureWebJobsStorage". |
| 91 | + |
| 92 | + [ ](./media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-01.png#lightbox) |
| 93 | + |
| 94 | +2. Link your Azure Storage account by adding **either one** of the following value settings (remember to click "Apply" after making the setting changes): |
| 95 | + |
| 96 | + * Option 1: |
| 97 | + **AzureWebJobsStorage__accountName**: For example: `mystorageaccount123` |
| 98 | + |
| 99 | + * Option 2: |
| 100 | + **AzureWebJobsStorage__blobServiceUri**: Example: `https://mystorageaccount123.blob.core.windows.net/` |
| 101 | + |
| 102 | + **AzureWebJobsStorage__queueServiceUri**: Example: `https://mystorageaccount123.queue.core.windows.net/` |
| 103 | + |
| 104 | + **AzureWebJobsStorage__tableServiceUri**: Example: `https://mystorageaccount123.table.core.windows.net/` |
| 105 | + |
| 106 | + > [!NOTE] |
| 107 | + > If you are using [Azure Government](../../azure-government/documentation-government-welcome.md) or any other cloud that's separate from global Azure, then you will need to use this second option to provide specific service URLs. The values for these settings can be found in the storage account under the **Endpoints** tab. For more information on using Azure Storage with Azure Government, see the [Develop with Storage API on Azure Government](../../azure-government/documentation-government-get-started-connect-to-storage.md) documentation. |
| 108 | +
|
| 109 | +  |
| 110 | + |
| 111 | +3. Finalize your managed identity configuration (remember to click "Apply" after making the setting changes): |
| 112 | + |
| 113 | + * If **system-assigned identity** should be used, then specify nothing else. |
| 114 | + |
| 115 | + * If **user-assigned identity** should be used, then add the following app settings values in your app configuration: |
| 116 | + * **AzureWebJobsStorage__credential**: managedidentity |
| 117 | + |
| 118 | + * **AzureWebJobsStorage__clientId**: (This is a GUID value that you obtain from your managed identity resource) |
| 119 | + |
| 120 | +  |
| 121 | + |
| 122 | + |
| 123 | + |
| 124 | + |
| 125 | + |
| 126 | + |
| 127 | + |
0 commit comments