Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inability to refresh triggers behind authenticated function app post deploy #4196

Open
aneillans opened this issue Nov 21, 2024 · 2 comments · May be fixed by #4199
Open

Inability to refresh triggers behind authenticated function app post deploy #4196

aneillans opened this issue Nov 21, 2024 · 2 comments · May be fixed by #4199
Labels
Needs: Triage (Functions) potential-bug

Comments

@aneillans
Copy link

Version

4.0.6610

Description

Unable to sync triggers on Function App protected by OpenID auth (Azure AD B2C tenant) - 401

Unable to pass a seperate access token for the refresh trigger step, as the access token is used for publish as well as the refresh step. Unable to split the refresh step off and call it seperately with a different access token. (Both would be potential solutions, although I guess so would adding another auth provider!)

Steps to reproduce

Deploy function app with OpenID "required" auth configured.
Tooling is unable to refresh the triggers, as is unable to auth.

Log:

[SyncTriggerStep] starting.
Waiting 60 seconds for the workers to recycle with deployed content.
[CleanUpStep] starting.
Cleaned the source packages directory.
Cleaned the result artifact directory.
Finished deployment pipeline.
FunctionHostSyncTrigger, statusCode = Unauthorized
Deployment was successful but the app appears to be unhealthy, please check the app logs.
Checking the app health...................
@aneillans aneillans linked a pull request Nov 21, 2024 that will close this issue
Open
5 tasks
@aneillans
Copy link
Author

Did some further digging on this. Passing an token for Sync Triggers is only a partial solution, and will work for all (it seems) EXCEPT Flex. Flex is triggers for Kudu / Legion backend, which doesnt appear to be able to tell it to use a different identity at present? Still prodding that bit to work out more.

Seems that there might be another auth point that fails - the call to check status calls an /admin/ uri, which might also fail with an unauthorized response if behind auth (and no different bearer provided).

@aneillans
Copy link
Author

Poking through the Kudu source, I can see that a JWT is created for the refresh, but none of this code actually takes into account the auth layer that might have been deployed on top of the Function App - seems there is a significant fundamental flaw here give the /admin/host/synctriggers address is published on the "client side" address and not the scm endpoint.

Thinking the only way around this is to perhaps have a way to making the automated part of the deployment accept a failure in the deployment, and continue, but then support calling the synctriggers itself with a bearer token for Flex deployments ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Triage (Functions) potential-bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adding additional command line param of sync-access-token aneillans/azure-functions-core-tools
1 participant
@aneillans