search

Azure / functions-action

Enable GitHub developers to deploy to Azure Function Apps using GitHub Actions
MIT License
156 stars 76 forks source link

AzureWebJobsStorage managed identity access is not supported #181

Closed rlaveycal closed 1 year ago

rlaveycal commented 1 year ago

I've got a Linux consumption plan function configured to use managed identity for access to the storage account

i.e. AzureWebJobsStorage is not set but AzureWebJobsStorage__credential, AzureWebJobsStorage__clientId and AzureWebJobsStorage__accountName are.

As per the docs WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID is also set.

My workflow uses RBAC auth

      - name: Azure Login
        uses: azure/login@v1
        with:
          client-id: ${{ vars.AZURE_CLIENT_ID }}
          tenant-id: xxx
          subscription-id: xxx

      - name: Run Azure Functions Action
        uses: Azure/functions-action@v1
        id: fa
        with:
          app-name: myfunc
          package: ./runners/webhook
          respect-funcignore: true

The action output is

Using RBAC for authentication, GitHub Action will perform resource validation.
Successfully acquired site configs from function app!
Detected function app sku: Consumption
Warning: AzureWebJobsStorage does not exist in app settings (from Azure Resource Manager with RBAC credential). Please ensure the AzureWebJobsStorage app setting is configured as it is critical for function runtime. For more information, please visit the function app settings reference page: https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings#azurewebjobsstorage
Successfully acquired app settings from function app (RBAC)!
Detected function app language: Node
Will archive ./runners/webhook into /home/runner/work/_temp/temp_web_package_4548460205709315.zip as function app content
Will use WEBSITE_RUN_FROM_PACKAGE to deploy since RBAC is detected and your function app is on Linux Consumption.
Error: Execution Exception (state: PublishContent) (step: Invocation)
Error:   At PublishContent, AzureWebjobsStorage : Failed to convert by semicolon delimeter.
Error:     Cannot read properties of undefined (reading 'trim')
Error:       TypeError: Cannot read properties of undefined (reading 'trim')
    at Function.GetAzureWebjobsStorage (/home/runner/work/_actions/Azure/functions-action/v1/lib/utils/parser.js:8:29)
    at Function.<anonymous> (/home/runner/work/_actions/Azure/functions-action/v1/lib/publishers/websiteRunFromPackageDeploy.js:41:45)
    at Generator.next (<anonymous>)
    at /home/runner/work/_actions/Azure/functions-action/v1/lib/publishers/websiteRunFromPackageDeploy.js:8:71
    at new Promise (<anonymous>)
    at __awaiter (/home/runner/work/_actions/Azure/functions-action/v1/lib/publishers/websiteRunFromPackageDeploy.js:4:12)
    at Function.getStorageCredential (/home/runner/work/_actions/Azure/functions-action/v1/lib/publishers/websiteRunFromPackageDeploy.js:37:16)
    at Function.<anonymous> (/home/runner/work/_actions/Azure/functions-action/v1/lib/publishers/websiteRunFromPackageDeploy.js:21:40)
    at Generator.next (<anonymous>)
    at /home/runner/work/_actions/Azure/functions-action/v1/lib/publishers/websiteRunFromPackageDeploy.js:8:71
Error: Deployment Failed!

The code is obviously trying to parse AzureWebJobsStorage to obtain the name and access credentials of the storage account.

Instead it should:

  1. Use AzureWebJobsStorage__accountName to find the storage account
  2. Access that account via RBAC (not access keys) to upload the zip
  3. If WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID is set then set WEBSITE_RUN_FROM_PACKAGE without a SAS token.
github-actions[bot] commented 1 year ago

This issue is idle because it has been open for 14 days with no activity.

patelchandni commented 1 year ago

Support enabled: https://github.com/Azure/functions-action/releases/tag/v1.5.1