Azure Function with App Config and managed identity - how to debug locally

0
votes

I've been all over the place looking for an answer to the question in the title but I have found 0 relevant information on my issue, yes there is examples for other services but nothing for my case.

I have an Azure App Function.
I enabled it's Managed Identity.
I added a data-reader role for that function in the App Configuration Access Management (IAM).
In my code I added

    public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
    {
        var appConfigEndpoint = Environment.GetEnvironmentVariable("AppConfigEndpoint");
        builder.ConfigurationBuilder.AddAzureAppConfiguration(options => options.Connect(new Uri(appConfigEndpoint), new ManagedIdentityCredential()));
    }

in my Startup.cs

When I ran it in DEBUG locally I get this error:

A host error has occurred during startup operation '<some GUID>'.
Azure.Identity: ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
Value cannot be null. (Parameter 'provider')

Also tried changing new ManagedIdentityCredential() for new DefaultAzureCredential() but then I get:

A host error has occurred during startup operation '732e2be5-0729-4279-b15a-833c8313b39a'.
Azure.Data.AppConfiguration: Service request failed.
Status: 403 (Forbidden)

Headers:
Server: openresty/1.17.8.2
Date: Wed, 30 Jun 2021 14:15:22 GMT
Connection: keep-alive
x-ms-request-id: 2f2066ef-9222-42d5-b96b-85a9b338127e
x-ms-client-request-id: 68cd19e1-0166-4567-a3f9-10f9a1cb6f3c
x-ms-correlation-request-id: 2f2066ef-9222-42d5-b96b-85a9b338127e
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: DNT, X-CustomHeader, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Authorization, x-ms-client-request-id, x-ms-useragent, x-ms-content-sha256, x-ms-date, host, Accept, Accept-Datetime, Date, If-Match, If-None-Match, Sync-Token, x-ms-return-client-request-id, ETag, Last-Modified, Link, Memento-Datetime, retry-after-ms, x-ms-request-id, x-ms-client-session-id, x-ms-effective-locale, WWW-Authenticate
Strict-Transport-Security: max-age=15724800; includeSubDomains
Content-Length: 0
.
Value cannot be null. (Parameter 'provider')

My Azure account is added to my Visual Studio and in Tools > Options > Azure Service Authentication it is selected.

I'm going crazy - what must I do so I can debug locally?

1
c#azureazure-functionsazure-managed-identityazure-app-configuration
Have you assigned proper RBAC role to your user account (account with which you’re logged in into Visual Studio)?Gaurav Mantri
Hm, I think because you are receiving a 403 (forbidden) instead of a 401 (unauthorized), the authentication using MSI was successful but you probably have to check the authorization (RBAC). So ensure that your user has access to the App ConfigurationMartin Brandl
Can you edit your question and share the exact error message you're getting when you run your Function app?Gaurav Mantri
@GauravMantri, everything sorted itself out. Looks like Azure needed more time to sync?Tessaract

1 Answers

1
votes

ManagedIdentityCredential only works in Azure. You could change it to use DefaultAzureCredential instead. It attempts multiple methods, including Managed Identity and Visual Studio authentication. So it'll work locally as well. Of course your user account does need to have the needed RBAC role as well.