Support Managed Identity

[DarqueWarrior]

Are there plans to support managed identity for static web apps?

I wanted to use managed identity with static web apps like I do with websites or functions. I stored information in Key Valut and could not auth my static web app using a managed identity. I had to resort to using a service principal.

[annaji-msft]

@DarqueWarrior Could you elaborate a little more when you say used service principal. Was this on the client layer or the functions layer. I would assume you don't want to resolve secrets on the client side. Just trying to understand the context and scenarios where you would want to use Managed Identity besides functions.

[DarqueWarrior]

Sure! Yes, it was on the function side. I stored my CosmosDB connection string in Key Vault because I could not figure out how to create an input binding for CosmosDB in static web apps.

So after storing my connection string in Key Vault I wanted to auth my static web app with Key Vault. Without an managed identity I just used a service principal in the function to auth to Key Vault and grab my connection string.

[rajyraman]

I am having the same issue. On a standalone Azure Function, I can use managed identity to connect to CDS, but I am unclear on how to set this up in SWA api.

[rajyraman]

I ended up using EnvironmentCredential with client secret.

[elliott-with-the-longest-name-on-github]

I'll readily add my vote to this -- it would be nice to support Managed Identity on the Azure Functions side, as I'd prefer to authorize the managed identity access to my Azure SQL DB than have to create a login and provide the creds through a connection string.

[arambazamba]

Secret less config using managed identity would be a great feature

[demo4life]

Maybe you can vote here: https://feedback.azure.com/forums/34192--general-feedback/suggestions/43528497-pricipal-id-static-web-app

[anthonychu]

Thanks. Currently our guidance is to use the bring your own function app feature if you need managed identity in your function app. We do want to bring this to Static Web Apps’ built-in managed functions at some point but do not have an ETA.

[turdwaster]

@anthonychu Any update on the plan for this? Not being able to access a key vault from a managed function despite the SWA having an identity is really unproductive.

[hansmbakker]

This is not only about Key Vault - it is also about authenticating Azure Functions against a CosmosDB instance without needing secret management for example.

@anthonychu - this feature would really make working with the Static Web App's Managed Functions much nicer - at the moment it feels like the Managed Functions are a restricted feature and it's not clear what usecase it's meant for when bring-your-own Functions are available? Since Functions are an integration component they will need a connection to other components in most of the cases and having managed identity support would really make that much better.

[anthonychu]

+ @Reshmi-Sriram

[hansmbakker]

This is not only about Key Vault - it is also about authenticating Azure Functions against a CosmosDB instance without needing secret management for example. This feature would really make working with the Static Web App's Managed Functions much nicer - at the moment it feels like the Managed Functions are a restricted feature and it's not clear what usecase it's meant for when bring-your-own Functions are available? Since Functions are an integration component they will need a connection to other components in most of the cases and having managed identity support would really make that much better.

@Reshmi-Sriram can you answer this?

[Reshmi-Sriram]

Hey @hansmbakker, Thank you for the inputs! We have taken them into consideration and the engineering team has triaged this feature ask. We do not have a solid timeline yet, but expect to hear back from us regarding the status in another 2-3 months. Thanks!

[hansmbakker]

@Reshmi-Sriram thank you, looking forward to your update!

[hansmbakker]

@Reshmi-Sriram I saw the SWA database connections feature and would like to understand whether that is the direction you were looking at to cover this feature request, or that you are looking something else?

I saw this feature does support using a Managed Identity to connect to a database. However, I cannot understand from the documentation whether the SWA database connection feature is possible to be used from the Managed Functions in a secure way. or that it is meant to be used only from the frontend code using an authenticated user's context?

I'm afraid the SWA database connection feature does not cover the feature request of this issue (using a Managed Identity in general, from Managed Functions), and I hope generic support for Managed Identity will be added to Managed Functions in SWA.

[Reshmi-Sriram]

Hi @hansmbakker, You're right. This is a parallel feature we have worked on, and in no way means to close this ticket. Like I mentioned, the engineering team is currently triaging the support for Managed Identity in Managed Functions, and we expect to give updates only in 2-3 months timeline. Please wait to hear more from us, but we're definitely looking into this! cc// @thomasgauvin @mkarmark

[hansmbakker]

Hi @Reshmi-Sriram, thank you for clarifying this!

And the database connection feature is definitely a very useful feature for quickly scaffolding an API layer over people's databases!

[foundify]

Hello, any updates regarding managed identity with managed functions in SWA?

[LuKePicci]

Would love to get news on this. We need to authenticate SWA managed functions against Logic Apps.

[hansmbakker]

@Reshmi-Sriram is the update you planned to give available somewhere?

[thomasgauvin]

Hey folks, providing an update on this thread, managed identity support is planned for end of 2024 due to some architectural work required to support this since this is a global service.

[Chizaruu]

I will wait patiently.

No Managed Functions identity support sucks when trying to access multiple databases, especially when using SvelteKit. (No BYO Functions for me :c)