Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update SignalR Functions extension to support Azure.Identity #238

Closed
jongio opened this issue May 28, 2021 · 21 comments
Closed

Update SignalR Functions extension to support Azure.Identity #238

jongio opened this issue May 28, 2021 · 21 comments

Comments

@jongio
Copy link
Member

jongio commented May 28, 2021

Right now the only way to connect to SignalRService is via connection string, which causes the developer to have to store the connection string in a secret store.

The SignalR service supports managed identity.

We should update the SignalRService binding to also support Azure Identity.

Tracking issue: Azure/azure-sdk-for-net#21446
@Y-Sindo
Copy link
Member

Y-Sindo commented Jun 7, 2021

You can use AAD connection string in SignalR Service binding. See
Authenticate a managed identity with Azure Active Directory to access Azure SignalR Resources
Do this satisfy your need?

@jongio
Copy link
Member Author

jongio commented Jun 7, 2021

No, that only gets me Managed Identity support. With Azure.Identity we get much more than that, including all of the credential types derived from TokenCredential, AzureCliCredential, etc.

Have a look at the new extensions for Event Grid, Event Hub, Service Bus and Storage for implementation ideas.

@Y-Sindo
Copy link
Member

Y-Sindo commented Jun 24, 2021

Is to create a TokenCredential from IConfiguration the key point to support Azure.Identity in function extensions?
Like the codes in Event Hub, it accepts a connection string or a fullyQualifiedNamespace+TokenCredential as the connection inforamtion.
https://github.com/Azure/azure-sdk-for-net/blob/d0f4b8be10d9d354353c4bdd6f82d577e3f1f61a/sdk/eventhub/Microsoft.Azure.WebJobs.Extensions.EventHubs/src/Config/EventHubClientFactory.cs#L188-L232

@jongio
Copy link
Member Author

jongio commented Jun 24, 2021

@pakrym @JoshLove-msft Could you please provide @Y-Sindo with guidance on how to implement Azure.Identity for the SignalR extension?

Should they also look at moving it in to the mono-repo?

@JoshLove-msft
Copy link
Member

Is to create a TokenCredential from IConfiguration the key point to support Azure.Identity in function extensions?
Like the codes in Event Hub, it accepts a connection string or a fullyQualifiedNamespace+TokenCredential as the connection inforamtion.
https://github.com/Azure/azure-sdk-for-net/blob/d0f4b8be10d9d354353c4bdd6f82d577e3f1f61a/sdk/eventhub/Microsoft.Azure.WebJobs.Extensions.EventHubs/src/Config/EventHubClientFactory.cs#L188-L232

Yes, you just need to create and use the TokenCredential based on the IConfiguration.

@JoshLove-msft
Copy link
Member

Should they also look at moving it in to the mono-repo?

@AlexGhiondea what do you think about moving the SignalR extension to the mono repo?

@Y-Sindo Y-Sindo mentioned this issue Jun 25, 2021
Merged
@pakrym
Copy link

pakrym commented Jun 25, 2021

I think moving makes a lot of sense. Other extensions are there, free infrastructure is there.

@jongio
Copy link
Member Author

jongio commented Aug 17, 2021

@Y-Sindo - Do you own this? Would like to discuss. Thanks

@Y-Sindo
Copy link
Member

Y-Sindo commented Aug 17, 2021

@jongio Sure, already ping you on teams.

@drdamour
Copy link

tested this out, seems to work for sends. should add to list at https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference#connection-properties and related signalr docs.

@drdamour
Copy link

i'm new to signalr and this specific function binding extension, but i am somewhat randomly getting

System.Private.CoreLib: Exception while executing function: SignalrSend. Microsoft.Azure.SignalR.Common: Azure SignalR service runtime error. Request Uri: https://xxx.service.signalr.net/api/v1/hubs/xxx/users/12345. Response status code does not indicate success: 500 (Internal Server Error)

not sure if this is identity related, but seems like random failures would be reported elsewhere.

seemingly happens after i don't do anything for a few minutes with signalr, a subsequent send immediately after seems to work.

this is running local with a VS provided credential. i see no entries in the live trace tool.

@Y-Sindo
Copy link
Member

Y-Sindo commented Sep 27, 2021
edited
Loading

@drdamour Thanks for your testing. Could you give me your SignalR resource ID and a time span when the error occurred so that we could investigate the issue? If your resource ID contains sensitive information, you could send it to this email: zityang AT microsoft.com

@drdamour
Copy link

usos1sig01-advisor-test and the errors 9/24 2pm - 6 pm MT

@drdamour
Copy link

drdamour commented Oct 6, 2021

@Y-Sindo any luck figuring out a cause?

@drdamour
Copy link

drdamour commented Oct 6, 2021

just got it again MT

[2021-10-06T03:21:00.804Z] Executed 'SignalrSend' (Failed, Id=9e4d933e-066f-4e91-98d7-a3c3efeadb74, Duration=15535ms)
[2021-10-06T03:21:00.806Z] System.Private.CoreLib: Exception while executing function: SignalrSend. Microsoft.Azure.SignalR.Common: Azure SignalR service runtime error. Request Uri: https://usos1sig01-advisor-test.service.signalr.net/api/v1/hubs/advisornotificationhub/users/1245. Response status code does not indicate success: 500 (Internal Server Error).

@Y-Sindo
Copy link
Member

Y-Sindo commented Oct 11, 2021
edited
Loading

@drdamour Your resource happens to be located at a known problematic cluster, and we are still investigating into it. Now we have moved your resource to another cluster. Could you please validate if the problem mitigates?

@kensykora
Copy link

Any update on this? It would be nice to get Managed Identity working when developing with SignalR locally

@Y-Sindo
Copy link
Member

Y-Sindo commented Apr 7, 2022

@kensykora It's already supported. Please upgrade to 1.7.0.

FYI:

@Y-Sindo Y-Sindo closed this as completed Apr 7, 2022
@kensykora
Copy link

@Y-Sindo I reviewed your docs, and tried making some changes, but am experiencing the same result. Can you help me figure out what the correct settings are then? It is not working for me.

Functions version: 4.0.3971
Extensions: <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.SignalRService" Version="1.7.0" />

When I use the connection string:

local.settings.json

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet",
    "AzureSignalRConnectionString": "Endpoint=https://mytestservice.service.signalr.net;AuthType=aad;Version=1.0;",
    "AzureSignalRConnectionString__credential": "managedidentity" // I've tried with & without this, same results
  },
  "ConnectionStrings": {}
}

And using this function:

Function.cs

namespace CSharp
{
    public class Function : ServerlessHub
    {
        [FunctionName("negotiate")]
        public Task<SignalRConnectionInfo> NegotiateAsync([HttpTrigger(AuthorizationLevel.Anonymous)] HttpRequest req)
        {
            return NegotiateAsync(new NegotiationOptions());
        }
    }
}

Calling negotiate endpoint results in:

[2022-04-07T14:18:30.791Z] Executed 'negotiate' (Failed, Id=daecddf6-cf46-417b-893a-e69c28129453, Duration=9119ms)
[2022-04-07T14:18:30.791Z] System.Private.CoreLib: Exception while executing function: negotiate. System.Private.CoreLib: One or more errors occurred. (The given AzureAD identity don't have the permission to generate access token.). Microsoft.Azure.SignalR.Common: The given AzureAD identity don't have the permission to generate access token.

However I've confirmed that my az cli user is logged in and has the role SignalR Service Owner

Calls to send messages from within a simple timer function using Clients.All.SendAsync("newMessage", "status") result in:

[2022-04-07T14:22:39.503Z] Failed to process message: ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
[2022-04-07T14:22:39.503Z] Azure.Identity: ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.

So I'm confused how it's supposed to work. What am I missing?

@Y-Sindo
Copy link
Member

Y-Sindo commented Apr 8, 2022
edited
Loading

@kensykora Your configuration mixes two kinds of configuration styles together. And what you need is Azure Cli identity instead of managed identity.

  • "AzureSignalRConnectionString": "Endpoint=https://mytestservice.service.signalr.net;AuthType=aad;Version=1.0;", This kind is connection string style, which puts all the information in one connection string and takes precedence over the other style. This style only supports managed identity and Azure Cli identity is not supported.
  • "AzureSignalRConnectionString__credential": "managedidentity" This kind of configuration uses one or multiple key-value pair(s) to describe an identity-based connection, and it is the style described in the doc. The correct way for you is like this: 
     "AzureSignalRConnectionString__serviceUri": "https://mytestservice.service.signalr.net",
    In this way, the DefaultAzureCredential will be used, and your Azure Cli identity will be picked up.

@kensykora
Copy link

@Y-Sindo thanks for following up -- I tried as you suggested and am running into the same thing. I'll open up a separate issue.

@kensykora kensykora mentioned this issue Apr 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kensykora @drdamour @pakrym @jongio @Y-Sindo @JoshLove-msft