search

Azure / Webjobs.Extensions.Kusto

Azure functions Input and output bindings for Kusto (ADX)
MIT License
4 stars 6 forks source link

Using System Managed Identity on local machine #49

Open Jandev opened 11 months ago

Jandev commented 11 months ago

I wanted to use this extension along with my Managed Identity. On local systems, this should default to the logged in user in Azure CLI or Visual Studio. However, this does not appear to be possible. I'm receiving the following error:

[2023-11-14T20:26:23.583Z] System.Private.CoreLib: Exception while executing function: Functions.AddSensorData. Microsoft.Azure.WebJobs.Host: Error while handling parameter _binder after function returned:. Kusto.Ingest: A permanent error occurred while attempting to ingest: 'Stream' via streaming ingestion. Error: 'ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.'. Azure.Identity: ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint. Azure.Core: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry or by configuring a custom retry policy in ClientOptions.RetryPolicy. (A socket operation was attempted to an unreachable network. (169.254.169.254:80)) (A socket operation was attempted to an unreachable network. (169.254.169.254:80)) (A socket operation was attempted to an unreachable network. (169.254.169.254:80)) (A socket operation was attempted to an unreachable network. (169.254.169.254:80)). Azure.Core: A socket operation was attempted to an unreachable network. (169.254.169.254:80). System.Net.Http: A socket operation was attempted to an unreachable network. (169.254.169.254:80). System.Net.Sockets: A socket operation was attempted to an unreachable network.

As for context, this is the configuration I'm using

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated",
    "MachineDataDatabase": "data",
    "KustoConnectionString": "Data Source=https://my-instance.westeurope.kusto.windows.net;Initial Catalog=NetDefaultDB;User ID=;Password=;Application Client Id=;Application Key=;Application Certificate Thumbprint=;Application Certificate Subject Distinguished Name=;Application Certificate Issuer Distinguished Name=;Application Token=;User Token=;AAD Federated Security=True;dSTS Federated Security=False;Authority Id=",
    "MachineTemperatureTableName": "MachineTemperature"
  }
}

I got the connection string via LinqPad using the following code:

var kustoUri = "https://my-instance.westeurope.kusto.windows.net";
var kustoConnectionStringBuilder = new KustoConnectionStringBuilder(kustoUri)
    .WithAadSystemManagedIdentity();

kustoConnectionStringBuilder.ConnectionString.Dump();

The actual Azure Function is rather simple at the moment.

[Function(nameof(AddSensorData))]
[KustoOutput(Database: "data", Connection = "KustoConnectionString", TableName = "MachineTemperature", ManagedServiceIdentity = "system")]
public IEnumerable<MachineTemperature> AddSensorData(
    [HttpTrigger(AuthorizationLevel.Function, "get")]
    HttpRequestData req)
{
    _logger.LogInformation("Creating temperature data.");

    List<MachineTemperature> result = new ();
    for(int i = 0; i < Produce.BatchSize; i++)
    {
        var machineName = NameBuilder.Machine(random.Next(0, Produce.BatchSize));
        result.Add(new MachineTemperature
        {
            MachineId = computeIdentifier.Invoke(machineName),
            MachineName = machineName,
            TimeGenerated = DateTime.UtcNow,
            TemperatureCelcius = random.Next(2000, 15000)
        });
    }
    return result;
}

Am I doing something wrong in my current setup, maybe the connectionstring? Or is this scenario not supported (yet)? Would love to know if/how I can resolve this.

Of course, creating a service principal & secret is a possibility but that would be my last resort.

ag-ramachandran commented 11 months ago

Hello @Jandev

Thanks for the feedback. Would be something we can try and work on. Will you be okay with a 2 week lead time on this (30 Nov)

Jandev commented 11 months ago

Thanks for the swift response, @ag-ramachandran!

Now that I know this feature isn't supported yet, I can work around it using other means. I need the data ingested for a demo, next week. So the implementation will be too late for me to use it this time.

Knowing this will be picked up at some point in time is good enough for me. Maybe for a subsequent demo I can use this binding.

ag-ramachandran commented 11 months ago

Hello @Jandev ! Ah next week. Let me give it a good shot and see if I can do something for you. We'll try our best. will keep you posted on this issue

Jandev commented 11 months ago

Thanks, much appreciated. But no need to reprioritize your current work just for me. While this is a nice feature to have, I know the package is still in preview so we can wait a bit longer if necessary.