Managed Service Identity (MSI) was introduced last year. Since then quite a few articles have been written about it:
- Use a Windows VM Managed Service Identity (MSI) to access Azure Key Vault:
- Azure SQL authentication with a Managed Service Identity
MSI gives your code an automatically managed identity for authenticating to Azure services, so that you can keep credentials out of your code.
Enabling and configuring MSI is usually performed in 3 steps
- Enable MSI for the source resource
- Grant the application spn access to another target resource
- Add MSI authentication to the code hosted on the source resource
Example using Azure functions can be found in github.
I was surprised though to find out that connecting to Azure SQL using PowerShell with MSI does not work when hosted in a function app.
Also included in the visual studio solution is the function app running in PowerShell. It fails to log into Azure SQL server with the following error:
Exception while executing function: Functions.dm_pdw_exec_sessions. Microsoft.Azure.WebJobs.Script: PowerShell script error. System.Management.Automation: Exception calling "Open" with "0" argument(s): "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.". .Net SqlClient Data Provider: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON
At this point I suspect impersonation is working correctly with IIS hosting the function app