Azure / static-web-apps

Azure Static Web Apps. For bugs and feature requests, please create an issue in this repo. For community discussions, latest updates, kindly refer to the Discussions Tab. To know what's new in Static Web Apps, visit https://aka.ms/swa/ThisMonth
https://aka.ms/swa
MIT License
333 stars 57 forks source link

Support Managed Identity #88

Open DarqueWarrior opened 4 years ago

DarqueWarrior commented 4 years ago

Are there plans to support managed identity for static web apps?

I wanted to use managed identity with static web apps like I do with websites or functions. I stored information in Key Valut and could not auth my static web app using a managed identity. I had to resort to using a service principal.

annaji-msft commented 4 years ago

@DarqueWarrior Could you elaborate a little more when you say used service principal. Was this on the client layer or the functions layer. I would assume you don't want to resolve secrets on the client side. Just trying to understand the context and scenarios where you would want to use Managed Identity besides functions.

DarqueWarrior commented 4 years ago

Sure! Yes, it was on the function side. I stored my CosmosDB connection string in Key Vault because I could not figure out how to create an input binding for CosmosDB in static web apps.

So after storing my connection string in Key Vault I wanted to auth my static web app with Key Vault. Without an managed identity I just used a service principal in the function to auth to Key Vault and grab my connection string.

rajyraman commented 4 years ago

I am having the same issue. On a standalone Azure Function, I can use managed identity to connect to CDS, but I am unclear on how to set this up in SWA api.

rajyraman commented 4 years ago

I ended up using EnvironmentCredential with client secret.

elliott-with-the-longest-name-on-github commented 3 years ago

I'll readily add my vote to this -- it would be nice to support Managed Identity on the Azure Functions side, as I'd prefer to authorize the managed identity access to my Azure SQL DB than have to create a login and provide the creds through a connection string.

alexander-kastil commented 3 years ago

Secret less config using managed identity would be a great feature

demo4life commented 3 years ago

Maybe you can vote here: https://feedback.azure.com/forums/34192--general-feedback/suggestions/43528497-pricipal-id-static-web-app

anthonychu commented 3 years ago

Thanks. Currently our guidance is to use the bring your own function app feature if you need managed identity in your function app. We do want to bring this to Static Web Apps’ built-in managed functions at some point but do not have an ETA.

turdwaster commented 2 years ago

@anthonychu Any update on the plan for this? Not being able to access a key vault from a managed function despite the SWA having an identity is really unproductive.

hansmbakker commented 1 year ago

This is not only about Key Vault - it is also about authenticating Azure Functions against a CosmosDB instance without needing secret management for example.

@anthonychu - this feature would really make working with the Static Web App's Managed Functions much nicer - at the moment it feels like the Managed Functions are a restricted feature and it's not clear what usecase it's meant for when bring-your-own Functions are available? Since Functions are an integration component they will need a connection to other components in most of the cases and having managed identity support would really make that much better.

anthonychu commented 1 year ago

+ @Reshmi-Sriram

hansmbakker commented 1 year ago

This is not only about Key Vault - it is also about authenticating Azure Functions against a CosmosDB instance without needing secret management for example. This feature would really make working with the Static Web App's Managed Functions much nicer - at the moment it feels like the Managed Functions are a restricted feature and it's not clear what usecase it's meant for when bring-your-own Functions are available? Since Functions are an integration component they will need a connection to other components in most of the cases and having managed identity support would really make that much better.

@Reshmi-Sriram can you answer this?

Reshmi-Sriram commented 1 year ago

Hey @hansmbakker, Thank you for the inputs! We have taken them into consideration and the engineering team has triaged this feature ask. We do not have a solid timeline yet, but expect to hear back from us regarding the status in another 2-3 months. Thanks!

hansmbakker commented 1 year ago

@Reshmi-Sriram thank you, looking forward to your update!

hansmbakker commented 1 year ago

@Reshmi-Sriram I saw the SWA database connections feature and would like to understand whether that is the direction you were looking at to cover this feature request, or that you are looking something else?

I saw this feature does support using a Managed Identity to connect to a database. However, I cannot understand from the documentation whether the SWA database connection feature is possible to be used from the Managed Functions in a secure way. or that it is meant to be used only from the frontend code using an authenticated user's context?

I'm afraid the SWA database connection feature does not cover the feature request of this issue (using a Managed Identity in general, from Managed Functions), and I hope generic support for Managed Identity will be added to Managed Functions in SWA.

Reshmi-Sriram commented 1 year ago

Hi @hansmbakker, You're right. This is a parallel feature we have worked on, and in no way means to close this ticket. Like I mentioned, the engineering team is currently triaging the support for Managed Identity in Managed Functions, and we expect to give updates only in 2-3 months timeline. Please wait to hear more from us, but we're definitely looking into this! cc// @thomasgauvin @mkarmark

hansmbakker commented 1 year ago

Hi @Reshmi-Sriram, thank you for clarifying this!

And the database connection feature is definitely a very useful feature for quickly scaffolding an API layer over people's databases!

foundify commented 1 year ago

Hello, any updates regarding managed identity with managed functions in SWA?

LuKePicci commented 12 months ago

Would love to get news on this. We need to authenticate SWA managed functions against Logic Apps.

hansmbakker commented 10 months ago

@Reshmi-Sriram is the update you planned to give available somewhere?

thomasgauvin commented 10 months ago

Hey folks, providing an update on this thread, managed identity support is planned for end of 2024 due to some architectural work required to support this since this is a global service.

Chizaruu commented 6 months ago

I will wait patiently.

No Managed Functions identity support sucks when trying to access multiple databases, especially when using SvelteKit. (No BYO Functions for me :c)

jrblanno commented 1 month ago

It would be amazing to use Managed identities in SWA :(