Using Managed Identity to connect to a queue from a WebJob
I have an app service with a system-assigned managed identity, and a WebJob operating off a queue trigger. If I give the app service an AzureWebJobsStorage connection string, it works, no problem. It grabs the message from the queue and does its stuff. But that's less secure, and thus far I've been unable to get it to work off the managed identity.
I have it using the following settings to provide the info it needs:
AzureWebJobsStorage__accountName: [my storage account name]
AzureWebJobsStorage__credential: ManagedIdentity
It should have everything it needs to use the storage account name and the name of the queue set in the queue trigger (plus permissions to the storage account on the managed identity, I've given it Contributor, Key Vault Secrets User and Storage Queue Data Contributor) to listen to the queue. But it doesn't give any indication that it's doing so. It doesn't give an error, either. It just says "Job host started".
Oh, and I have AzureWebJobsDashboard set, since it seems to be necessary to use the dashboard, but clearly it doesn't use that to interact with the queue.
If it makes any difference, the app service is Windows.
My questions are thus:
- Is there something I'm missing that will get it working? Missing permissions, missing app settings, etc etc
- Will it even work as a WebJob? Everything I've seen online mentions Function apps, and while there's a lot of crossover, strictly speaking, it's a WebJob, not a Function app. At least it's not defined as such in the Azure Portal.
- If it won't work, what are the best alternatives? Previously we had connection strings coming from a Key Vault.
My appsettings.json file:
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Azure.Core": "None"
}
}
}
Make sure you have set the LogLevel.
- Deployed the Web Job to Azure App Service.
- Enabled the Identity of Azure WebApp.
Thanks @techcommunity for the clear steps.
I have taken references from this blog and followed the same for WebApp.
- Add
AzureWebJobsStorage__accountnamesetting in the Environment Variable with a value of your storage account name.
- In Storage account, you need to assign the below 3 role assignments for your WebApp.
Storage Account Contributor
Storage Blob Data Owner
Storage Queue Data Contributor
- Add a message in a Queue
and run the Web Job
Output:
- How to resolve paging when retrieving data from REST API in R
- SearchService deployment fails if the resource exists
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- Local development with Azure SignalR Service and Azure Functions
- Azure Functions & Application Insights requests "Operation Link" empty
- Disabling allow public blob access using terraform
- how to retrieve all resources under given subnet using Azure Resource Graph Explorer query
- I'm using SSIS in ADF to move .csv from a blob container to another and then ingest into a Azure SQL database. I get an assembly error
- How to build expression in ADF from json using parameterized variable?
- Reference a variable azure pipeline not working
- Graph Powershell adding a user to PIM for a privileged security group
- Indexing static HTML blob storage content with Azure Cognitive Search is not working as expected
- Azure python webapp deploy shows as running even though it is successful
- Azure pipeline get Pull request source and target branch name
- Error while copying Azure Storage table from one Storage to another storage table using Powershell script
- Azure Function App Fails to Delete Blob Image After Deployment
- Use Azure AD authentication but manage roles in database in .NET 6
- Microsoft Azure VMs IaaS or PaaS?
- Can an application property be updated/deleted from a ServiceBusReceivedMessage?
- Why is my Blazor Web App throwing a SocketException when authenticating with OpenIddict when deployed to Azure App Service?
- RPC failed: curl 56 failure when receiving data from the peer
- Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
- Reading Excel file returns 'Invalid Request' error
- Is it possible to clone an Azure Container App?
- Unable to Enable Encryption at host for Azure VM
- Application Insights does not capture information level logging
- How to look up logical partition count and size in Cosmos DB
- AzureRmWebAppDeployment@4 tries to deploy to a wrong URL to Linux app plan
- Azure B2C client credentials flow throws invalid_grant AADB2C90085
- Why I can't create azurerm_app_service connection?