Supporting Federated Credentials in Azure Functions

anshuman-goel commented 2 months ago

Binding Type

Both

Expected Behavior

Currently Azure Function trigger like Event Hub, Queue trigger, etc, support Connection strings, Managed Identity. However, it does not support Federated Credentials which inhibits writing an azure function in a different tenant from where the trigger is deployed.

For example, I cannot have an Event Hub triggered Azure Function in tenant A where Event Hub resides in tenant B.

JAdluri commented 1 month ago

Hello @anshuman-goel could you please mention steps to repro.

anshuman-goel commented 1 month ago

@JAdluri Please find the steps:

To reproduce the issue where Azure Function triggers do not support Federated Credentials, inhibiting the ability to write an Azure Function in a different tenant from where the trigger is deployed, follow these steps:

Steps to Reproduce

Set Up Azure Environment:
- Ensure you have access to two Azure tenants: Tenant A and Tenant B.
- In Tenant B, create an Event Hub namespace and an Event Hub.
Create an Azure Function in Tenant A:
- In Tenant A, create a new Azure Function App.
- Choose a Python runtime stack and create the function app.
Configure Event Hub Trigger:
- In the Azure Function App in Tenant A, add a new function with an Event Hub trigger.
- Attempt to configure the Event Hub trigger to connect to the Event Hub in Tenant B.
Connection String Configuration:
- Use the connection string from the Event Hub in Tenant B to configure the Event Hub trigger in the Azure Function in Tenant A.
- Verify that the connection string works and the function can be triggered by events in the Event Hub.
Attempt to Use Federated Credentials by using Managed Identity and Service Principal:
- Create a Managed Identity and add to Function App.
- Setup the Federated Credentials by creating new App Registration and the above created Managed Identity between cross tenants. Detailed steps on it are being omitted for brevity.
- Try to configure Federated Credentials for the Azure Function in Tenant A.
- Attempt to use Federated Credentials to access the Event Hub in Tenant B.
- Observe that there is no support for Federated Credentials in the Azure Function trigger configuration.

Expected Outcome

Connection String: The Azure Function in Tenant A should be able to connect to the Event Hub in Tenant B using the connection string.
Federated Credentials: The Azure Function in Tenant A should not be able to connect to the Event Hub in Tenant B using Federated Credentials, as this feature is not supported.

Actual Outcome

Federated Credentials: The lack of support for Federated Credentials inhibits the ability to write an Azure Function in Tenant A that triggers from an Event Hub in Tenant B.

Conclusion

The issue is that Azure Function triggers like Event Hub, Queue trigger, etc., do not support Federated Credentials, which prevents cross-tenant configurations using Federated Credentials.

JAdluri commented 1 month ago

@anshuman-goel Thank you for detailed steps. Will let you know furtherly

Azure / azure-functions-python-worker