search

Azure / azure-functions-dotnet-worker

Azure Functions out-of-process .NET language worker
MIT License
403 stars 166 forks source link

ServiceBusTrigger ignoring the DefaultAzureCredentialOptions set in DefaultAzureCredentials #2382

Open ganiths opened 2 months ago

ganiths commented 2 months ago

Description

My function app is developed using .NET 8 with isolated worker process. We have a service bus trigger function.

In my local development, i wanted to turn off managed identity based authentication and instead use either visual studio or visual studio credentials

I tried to turn off using the DI with the below code

                    services.AddAzureClients(clientBuilder =>
                    {
                        var options = new DefaultAzureCredentialOptions
                        {
                            ExcludeManagedIdentityCredential = true
                        };

                        clientBuilder.UseCredential(new DefaultAzureCredential(options));
                    });

But ServiceBus trigger is not using the above options and still tried to authenticate using managed identity credentials

Could you please let me how do we turn off Managed identity authentication for service bus trigger

The version am using for Microsoft.Azure.Functions.Worker.Extensions.ServiceBus is 5.17.0

Steps to reproduce

Refer the description

mattchenderson commented 2 months ago

@ganiths Can you describe the impact you're seeing as a result of this?

Based on current implementation, there is a separation that would currently prevent customization of that credential from impacting the setup of the extensions. But even if MI probing were still enabled, the system should fall back and use VisualStudioCredential already.

ganiths commented 2 months ago

@mattchenderson My local machine is currently sitting behind a proxy that requires authentication. When i try to run the application locally, i am getting 407 proxy authentication error when defaultazurecredentials tries to do managedidentity authentication. After the error, its not proceeding in checking the next set of credentials and hence am unable to run the application locally

My application was initially written using .Net6 in process function app and am currently in the process of migrating to .Net 8 isolated worker and due to this error am unable to proceed further with the migration as we cannot test the application locally

in .Net 6 in process function app, i used to disable the managed identity during webjobstartup. But an equivalent one is missing in isolated worker function app.

 public class LocalDevelopmentWebJobsStartup : IWebJobsStartup
    {
        public void Configure(IWebJobsBuilder builder)
        {
            var credOptions = new DefaultAzureCredentialOptions();

            // For Local devlopment, Exclude managed identity authentication from default azure credentials
            // Otherwise it gives 407 Authentication required error
            // Also webjobs startup is required only for local development.
            var isLocalDevelopmentSetting = Environment.GetEnvironmentVariable("IsLocalDevelopment");

            var isConversionSuccess = bool.TryParse(isLocalDevelopmentSetting, out bool isLocalDevelopment);

            if (isConversionSuccess && isLocalDevelopment)
            {
                credOptions.ExcludeManagedIdentityCredential = true;

                builder.Services.AddAzureClients(clientBuilder =>
                {
                    clientBuilder.UseCredential(new DefaultAzureCredential(credOptions));
                });

            }
        }

    }
phatcher commented 1 month ago

AFAIK The latest Azure Identity packages has some fixes regarding quick failure if it can't get to the MI endpoint