Skip to content

Support managed identity for Event Grid #3183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 37 commits into from
Sep 18, 2025
Merged

Support managed identity for Event Grid #3183

merged 37 commits into from
Sep 18, 2025

Conversation

bachuv
Copy link
Collaborator

@bachuv bachuv commented Aug 15, 2025
edited
Loading

This PR adds support for managed identity for publishing events to Event Grid.

I tested this by publishing Durable Functions events to Event Grid and then sent those events to an Azure Storage Queue.

For context, customers currently specify the event grid topic key through host.json and local.settings.json (https://learn.microsoft.com/en-us/azure/azure-functions/durable/durable-functions-event-publishing?tabs=csharp-script):

  • host.json
{
  "version": "2.0",
  "extensions": {
    "durableTask": {
      "notifications": {
        "eventGrid": {
          "topicEndpoint": "https://<topic_name>.westus2-1.eventgrid.azure.net/api/events",
          "keySettingName": "EventGridKey"
        }
      }
    }
  }
}
  • local.settings.json
{
    "IsEncrypted": false,
    "Values": {
        "AzureWebJobsStorage": "UseDevelopmentStorage=true",
        "EventGridKey": "<topic_key>"
    }
}

This PR adds the following configuration support.

System Assigned Managed identity configuration:

App Settings

  • Add EventGrid__topicEndpoint app setting with the value as the Event Grid topic endpoint

Configuration

  • Turn on system assigned identity for the function app
  • In the event grid topic resource, give the function app the EventGrid Data Sender role.

User Assigned Managed identity configuration:

App Settings

  • Add EventGrid__topicEndpoint app setting with the value as the Event Grid topic endpoint
  • Add EventGrid__credential app setting with the value managedidentity
  • Add EventGrid__clientId app setting with the value of the user assigned managed identity client ID.

Configuration

  • Create a user assigned managed identity (uami)
  • Attach the uami to the function app resource (in the Identity section)
  • Attach the uami to the event grid topic resource (in the Identity section)
  • Create an event grid subscription and enable managed identity with the uami
  • In the event grid topic resource, assign the EventGrid Data Sender role to the uami
  • (If publishing events from the event grid to an Azure Storage queue) In the Azure Storage resource, assign the Storage Queue Data Message Sender role to the uami

Resolves #2924

Pull request checklist

  • My changes do not require documentation changes
    • Otherwise: Documentation PR is ready to merge and referenced in pending_docs.md
  • My changes should not be added to the release notes for the next release
    • Otherwise: I've added my notes to release_notes.md
  • My changes do not need to be backported to a previous version
    • Otherwise: Backport tracked by issue/PR #issue_or_pr
  • I have added all required tests (Unit tests, E2E tests)
  • My changes do not require any extra work to be leveraged by OutOfProc SDKs
    • Otherwise: That work is being tracked here: #issue_or_pr_in_each_sdk
  • My changes do not change the version of the WebJobs.Extensions.DurableTask package
    • Otherwise: major or minor version updates are reflected in /src/Worker.Extensions.DurableTask/AssemblyInfo.cs
  • My changes do not add EventIds to our EventSource logs
    • Otherwise: Ensure the EventIds are within the supported range in our existing Windows infrastructure. You may validate this with a deployed app's telemetry. You may also extend the range by completing a PR such as this one.
  • My changes should be added to v2.x branch.
    • Otherwise: This change applies exclusively to WebJobs.Extensions.DurableTask v3.x. It will be retained only in the dev and main branches and will not be merged into the v2.x branch.

@bachuv bachuv requested a review from nytian September 4, 2025 16:24
sophiatev
sophiatev reviewed Sep 8, 2025
View reviewed changes
@bachuv bachuv requested a review from sophiatev September 9, 2025 20:54
sophiatev
sophiatev reviewed Sep 10, 2025
View reviewed changes
nytian
nytian reviewed Sep 11, 2025
View reviewed changes
Copy link
Collaborator

@nytian nytian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! Left a comment. Also, can you remove those alerts about the PR? And have we done any e2e testing on Azure about msi?

cgillum
cgillum reviewed Sep 13, 2025
View reviewed changes
@bachuv bachuv requested a review from cgillum September 15, 2025 20:57
cgillum
cgillum requested changes Sep 16, 2025
View reviewed changes
Copy link
Member

@cgillum cgillum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm concerned about the large code churn in the latest iteration. I'm also concerned about the potential complexities and dangers of caching tasks, which have caused major outages for customers in other contexts.

Can we explore a simpler solution, such as keeping initialization as it was before, but calling SetUpAuthenticationAsync() inside an existing async method that we always run, such as inside the StartTaskHubWorkerIfNotStartedAsync() method?

@bachuv bachuv requested a review from cgillum September 16, 2025 23:33
@bachuv bachuv requested a review from cgillum September 17, 2025 16:33
cgillum
cgillum approved these changes Sep 17, 2025
View reviewed changes
src/WebJobs.Extensions.DurableTask/ManagedIdentityTokenSource.cs
defaultAzureCredentialOptions.ManagedIdentityClientId = this.Options.ClientId;
}

defaultCredential = this.Options == null ? new DefaultAzureCredential() : new DefaultAzureCredential(defaultAzureCredentialOptions); // CodeQL [SM05137] Use DefaultAzureCredential explicitly for local development and is decided by the user
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One change we should consider in the future is the ability to choose a credential type other than DefaultAzureCredential. This credential type is convenient but can cause problems or unexpected behavior in some setups because it may not always choose to use managed identity, even if managed identity is available.

@bachuv bachuv merged commit 5d80e7d into dev Sep 18, 2025
16 checks passed
@bachuv bachuv deleted the vabachu/event-grid-managed-identity branch September 18, 2025 16:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nytian nytian nytian left review comments

@cgillum cgillum cgillum approved these changes

@sophiatev sophiatev sophiatev approved these changes

@andystaples andystaples Awaiting requested review from andystaples

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support managed identity for Event Grid notifications
4 participants
@bachuv @cgillum @sophiatev @nytian