Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Errors and warnings when using identity-based connections in bindings #2755

Closed
mattchenderson opened this issue Oct 8, 2021 · 2 comments
Closed

Errors and warnings when using identity-based connections in bindings #2755

mattchenderson opened this issue Oct 8, 2021 · 2 comments
Assignees
@michaelpeng36
Milestone
Triaged

Comments

@mattchenderson
Copy link
Contributor

mattchenderson commented Oct 8, 2021
edited
Loading

Identity-based connections are still not honored except when used for AzureWebJobsStorage.

Repro Steps

  1. Run func init --worker-runtime node
  2. Modify host.json to use the preview extension bundle:
{
  "version": "2.0",
  "logging": {
    "applicationInsights": {
      "samplingSettings": {
        "isEnabled": true,
        "excludedTypes": "Request"
      }
    }
  },
  "extensionBundle": {
    "id": "Microsoft.Azure.Functions.ExtensionBundle.Preview",
    "version": "[3.*, 4.0.0)"
  }
}
  1. Run func new -t "Azure Blob Storage Trigger" -n BlobTrigger
  2. Update the default connection in function.json for the blob trigger:
{
  "bindings": [
    {
      "name": "myBlob",
      "type": "blobTrigger",
      "direction": "in",
      "path": "samples-workitems/{name}",
      "connection": "mystorage"
    }
  ]
}
  1. Add the identity-based connection to local.settings.json:
{
  "IsEncrypted": false,
  "Values": {
    "FUNCTIONS_WORKER_RUNTIME": "node",
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "mystorage__accountName": "MY_STORAGE_ACCOUNT_NAME"
  }
}

I had previously assigned myself the Storage Blob Data Owner role over the storage account represented by "MY_STORAGE_ACCOUNT_NAME". So in a local development context with the above configuration, the app should be able to read and write.

  1. Run func host start

Here's what I get:

Azure Functions Core Tools
Core Tools Version: 3.0.3785 Commit hash: db6fe71b2f05d09757179d5618a07bba4b28826f (64-bit)
Function Runtime Version: 3.2.0.0

Warning: Cannot find value named 'mystorage' in local.settings.json that matches 'connection' property set on 'blobTrigger' in 'PATH_OBFUSCATED\BlobTrigger1\function.json'. You can run 'func azure functionapp fetch-app-settings <functionAppName>' or specify a connection string in local.settings.json.
[2021-10-08T17:35:48.650Z] There was an error performing a read operation on the Blob Storage Secret Repository. Please ensure the 'AzureWebJobsStorage' connection string is valid.
[2021-10-08T17:35:48.943Z] A host error has occurred during startup operation '784aa661-69e8-4a39-8181-854c467d9dba'.
[2021-10-08T17:35:48.950Z] Microsoft.Azure.WebJobs.Script.WebHost: Could not create BlobContainerClient.
[2021-10-08T17:35:49.031Z] There was an error performing a read operation on the Blob Storage Secret Repository. Please ensure the 'AzureWebJobsStorage' connection string is valid.
Value cannot be null. (Parameter 'provider')

Discussion

That error seems to come from here:

azure-functions-core-tools/src/Azure.Functions.Cli/Actions/HostActions/StartHostAction.cs

Lines 428 to 429 in 5e114c9

.WriteLine(WarningColor($"Warning: Cannot find value named '{appSettingName}' in {SecretsManager.AppSettingsFileName} that matches '{token.Key}' property set on '{binding["type"]?.ToString()}' in '{filePath}'. " +
$"You can run 'func azure functionapp fetch-app-settings <functionAppName>' or specify a connection string in {SecretsManager.AppSettingsFileName}."));

It's really odd to me that the secret repository error is triggered by that. Removal of the BlobTrigger is sufficient to make that go away, so it seems like some kind of an exception catching issue - I didn't look into that, though.

There is a StorageConnectionExists() method that we use only to check on AzureWebJobsStorage earlier, but it is not applied to the binding connections. This was added in response to #2552. I did confirm that I could set AzureWebJobsStorage__accountName to a storage account, run it locally, and that everything worked (including timer trigger locks being taken on the blob).

I do have some minor concerns about Storage-specific behavior being included here in general. This behavior also needs to hold for Service Bus, Event Hubs, Cosmos, etc. The method seems like it's sufficiently generic aside from the name. But we do need to call it from the binding loop.

CC @cachai2 (and thanks for help identify and assembling this info)
@apawast apawast added this to the Triaged milestone Oct 12, 2021
@fabiocav
Copy link
Member

@AnatoliB @michaelpeng36 is this something you'd be able to look at? This is flagged as a GA requirement for the Track 2 extensions.

@michaelpeng36 michaelpeng36 mentioned this issue Oct 15, 2021
Merged
@michaelpeng36
Copy link
Contributor

Resolved by #2768 in v3.x and #2775 in v4.x

@ghost ghost locked as resolved and limited conversation to collaborators Nov 20, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@michaelpeng36 michaelpeng36

Labels
None yet
Projects
None yet
Milestone
Triaged
Development

No branches or pull requests
4 participants
@fabiocav @mattchenderson @michaelpeng36 @apawast