Azure WebJob Queue Trigger not responding to encrypted queue message

1
votes

I have a requirement to encrypt all messages written to Azure Storage.

I wanted to use Azure Queues to trigger WebJobs so adopted this approach below to encrypting the queue message prior to storing:

https://docs.microsoft.com/en-us/azure/storage/storage-client-side-encryption

This encrypts the message fine on the Queue.

I then wanted to write a WebJob (or even better, an Azure Function)to respond to the Queue message and decrypt it and process it.

Unfortunately the web job always falls over with the exception

System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters

Does anyone have a way of doing this. I even tried to implement my own CustomQueueProcessFactory like in the example

https://github.com/Azure/azure-webjobs-sdk-samples/blob/master/BasicSamples/MiscOperations/CustomQueueProcessorFactory.cs

but Azure WebJob library only invokes it with a CloudQueueMessage wheras I need to encrypt it before then.

Any ideas?

Thanks.

1
azureencryptionazure-webjobsazure-functions

1 Answers

1
votes

I believe you'll be able to do this with the CustomQueueProcessor by modifying the service client options in the create method.

public QueueProcessor Create(QueueProcessorFactoryContext context)
{
  ...
  // demonstrates how the Queue.ServiceClient options can be configured
  context.Queue.ServiceClient.DefaultRequestOptions.EncryptionPolicy = policy;
  ...
}

Unfortunately we don't provide that level of control in Azure Function (you can hack it if you deploy the functions runtime as a site extension in an app service plan, but you don't get any of the consumption scaling, etc).

https://docs.microsoft.com/en-us/azure/storage/storage-client-side-encryption#queue-service-encryption

https://github.com/Azure/azure-webjobs-sdk-samples/blob/master/BasicSamples/MiscOperations/CustomQueueProcessorFactory.cs#L19