Closed LumineLittlelight closed 11 months ago
xiangyan99
commented
11 months ago Thanks for reaching out.
You are right, the cached credential is not accessible in different instance of app.
Could you share more details about your scenario?
Saving (plain) token on disk may not be secure and you need to take care of the token refreshing by yourselves.
github-actions[bot]
commented
11 months ago Hi @LumineLittlelight. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
LumineLittlelight
commented
11 months ago Yes my scenario is that I want to perform passwordless access to CosmosDB via managed identity from a Function App. This Function App is triggered by an IoT Hub message. Each specific messsage will trigger one instance of Function App. Initially we thought we can use the method of querying the access token via ManagedIdentityCredential and request the CosmosDB connection string in order to access the CosmosDB.
However, the caveat is that it will cause a lot of requests to the access token endpoint which Azure may throttle it. So we re thinking on how to cache the credential token in order to minimize the requests.
xiangyan99
commented
11 months ago We don't have native support for this scenario. But of course, you can achieve it. Just need more code. :)
You can create and maintain your own managed identity credential object and use it to get the token and store the token in a central place and then disable the authentication policy in the pipeline and add the auth header by yourself.
github-actions[bot]
commented
11 months ago Hi @LumineLittlelight. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.
LumineLittlelight
commented
11 months ago Understood. Thank you for the clarifications!
Hi,
May I ask some clarification on the concepts, please?
Based on this documentation reference below: https://github.com/Azure/azure-sdk-for-python/blob/azure-identity_1.15.0/sdk/identity/azure-identity/TOKEN_CACHING.md
I read that for Azure ManagedIdentityCredential, it will automatically cached in-memory to minimize new requests and accesible by different threads.
Is this credential cache accessible across different instance of app invocation? By right it should not be, right? We need to have on-disk caching to be accessed by different app invocation instances.
26177 This is based on similar thread. Just wanna clarify if an improvement has already been made to cater this need.
Since, persistent-disk caching is not supported, is there any recommended practice how to make on disk caching for this ManagedCredentialIdentity in FunctionApp?
Do we need to setup our own storage account to store it?
Thank you.