isaacabraham
commented
3 years ago @ninjarobot I note that Container Service and Container Group also have support for managed identity. Should we turn them on here, too?
Open isaacabraham opened 3 years ago
isaacabraham
commented
3 years ago @ninjarobot I note that Container Service and Container Group also have support for managed identity. Should we turn them on here, too?
ninjarobot
commented
3 years ago @isaacabraham I ran into a little problem that may affect this. There is a limit on the number of Azure AD resources a single user can create - 250. Once you delete them, it still takes 30 days for them to stop counting against this limit. We actually ran into that internally, which makes me a little worried about this being the default. Frequently creating and deleting resources that default to this would mean they hit this unintentionally.
I bring this up because @admodras actually hit this internally while doing environment buildouts and it wasn't a simple process to increase that limit.
isaacabraham
commented
3 years ago Ouch. And that includes system identity accounts?
I think that, if indeed the Azure team want to get people to start moving over to managed identity instead of using secrets in the future, someone will need to revisit this limit :-)
We should consider simply turning on identity by default for App Service and Functions. There's (as far as I'm aware) no real cost to doing this, and it would make things easier for the default use case.
We could / should replace this with the ability to turn it on / off with a boolean argument instead.