Send Events To Event Grid Topic From Blob Triggered Azure Function Using Managed Service Identity

Introduction

Managed Service identities in Azure is a powerful tool that provides an Azure AD identity to an Azure managed resource. Once that resource has an identity, it can work with anything that supports Azure AD authentication. The code example in this article shows how to send events to the event grid from a blob-triggered azure function using managed service identity.

The link to download the project source code is here.

Prerequisites

1. Readers should have an azure portal subscription
2. Readers should first go through the articles of learning azure function, event grid, and basics of managed Identity.
3. The reader should know how to create an azure function app and storage account in the Azure portal.

Implementation

Step 1

Open the visual studio, create a project as Azure Functions project template, click Next.

Step 2

Configure the project with the project name, solution name, and the location where the file is to be saved.

Step 3

Select “Blob Trigger” as azure function project type, put a valid connection string name in “Connection string setting name” and click Create.

After the project gets created it will look like the below screenshot:

Step 4

Go to Azure portal, search Storage account in the search box, Create a storage account with a valid name. After creating a storage account, go to the Security + networking section and click on Access keys, then click on the Show keys option which will make all the keys visible. Then copy the connection string of key1.

Step 5

Now go back to Visual Studio, click on local.settings.json file from the project and add the connectionstring property “blobconnectionstring” (same name as mentioned in the connectionstring name during the creation of blobtriggered function) and paste the copied connenctionstring value in the field.

Step 6

Now build the solution.

Step 7

Now add a new event grid trigger azure function. Right-click on the project, hover on add and click on New Azure Function.

Step 8

Choose Event Grid trigger as azure function project type.

The event grid triggered function will look like below after creation.

Now go to Azure portal and execute the below steps,

Step 9

Search Azure Function App and Create an azure function named demoegmsifunc.

Step 10

Go to Settings in the left pane and click on Configuration. In the Application settings tab, add an app setting for connectionstring the same name and the same value as given in the local.settings.json file(blobconnectionstring).

Step 11

Now click on the Identity tab in the left pane, we will see System assigned tab is by default selected. Set the Status of identity On and after setting, we will see one object id is generated which is registered in the azure active directory as the identity of this function app.

Step 12

Now go back to Visual Studio, right click on the project, click on Publish, Click on Start, Select Azure as Target, then click on Next, Select Azure Function App (Windows), Select the correct resource group then azure function app name, then publish.

Step 13

After successfully publishing, go to Azure Portal, check the functions have been published successfully or not.

Step 14

Next, go to the Home page in the portal, Search for Event Grid Topics and create one topic.

Step 15

Next, create an event subscription with the details as below:

Name – Give a valid name of the subscription.

Event schema – default, no need to change

Topic Details section will remain as it is.

Filter to Event Types – add a meaningful tag that explains the purpose of this subscription

Endpoint type – Select Azure function

Click on Endpoint, a box will be opened:

Select proper subscription, resource group, Function App (here demoegmsifunc), and the event grid trigger function(EventGridMsiDemo), and click on Confirm Selection.

After setting all the configurations, click on Create.

Verify the subscription is being created properly under topic.

Step 16

Now it is time to assign a proper role to the identity of the function app so that blob triggered function in the function app can publish the event to eventgrid topic.

Go to Access control tab, click on Add, then click on Add role assignment, a selection box will be opened.

Step 17

In the Add role assignment box, select the options as below,

Role: select EventGrid Data Sender.

Assign access to Function App

Subscription: choose the proper subscription

Select: Search and select the function app identity, after selection, the function app identity will be displayed under Selected members.

Save it.

Step 18

Now verify whether the role assignment has been reflected in the both event grid topic side and function app side properly or not.

Event Grid side - Go to the Role assignments tab, search for the function app and verify the Eventgrid Data Sender role has been assigned to the function app properly.

Step 19

Function App side verification – Go to function app, click on Identity, Click on Azure role assignments and verify the EventGrid Data Sender role has been added and resource name is Event grid topic.

Step 20

Now go back again to the blob triggered function code in Visual Studio, put the below code snippet there, and publish it again as previously mentioned above,

//Name of the endpoint of Event grid topic
string topicEndpoint = " https://demomsiegtopic.eastus-1.eventgrid.azure.net/api/events";
//Creating client to publish events to eventgrid topic
EventGridPublisherClient client = new EventGridPublisherClient(new Uri(topicEndpoint), new DefaultAzureCredential());
log.LogInformation($ "received client");
//Creating a sample event with Subject, Eventtype, dataVersion and data
EventGridEvent egEvent = new EventGridEvent("Subject", "demoegmsifunc.receive", "1.0", "Sample event data");
// Send the event
await client.SendEventAsync(egEvent);
log.LogInformation($ "C# Blob trigger function Processed blob\n Name:{name} \n Size: {myBlob.Length} Bytes");

Test Verification

Now it’s time to test whether the Blob Triggered Azure Function can publish the events to Event grid trigger event using the managed identity or not.

Follow the below steps,

Step 1

Go to Azure portal, then go to Function app, click on Functions, open both the functions in different tab, now click on Monitor section of each function, then click on Logs tab, it will be connected in a few seconds, keep these monitor consoles open. We will see nothing now, when any blob will be uploaded, we can see the changes.

Step 2

Now, Go to Storage account, click on the container.

Step 3

Then upload a sample text file as a blob.

Step 4

Now go back to the monitor screen of the blob trigger function, here we can see the success message - blob triggered function processed with the correct blob name.

Step 5

Then go to the Event grid function monitor, we can see the azure function has published the event successfully to the event grid topic. So that means the managed identity worked like a charm!

Step 6

If we remove the managed identity from the function app and try to send the events, won’t be able to send the blob, ‘ll get the following error.

Conclusion

In this article, we walked through in a gradual way one case study of managed Identity i.e. how blob triggered function publish event to event grid using managed identity. We observed that without using environment specific variables (i.e. event grid access key), we are able to publish events very easily and that is why managed identity is so powerful.

References

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles