question

efitskie avatar image
0 Votes"
efitskie asked efitskie commented

Update azure app configuration from azure data factory pipeline with managed identity

I would like to update an azure app configuration value at the end of my azure data factory pipeline with the managed identity authentication.

The Azure data factory has permission to manage the app configuration keys (App Configuration Data Owner).

For this i created an WebActivity that point to the azure app configuration url.

The authentication is set to "Managed Identity".

I can't find the correct value for "Resouce". I already tried different values, like "https://azconfig.io/" or "https://management.azure.com/" but none of these work.

The exception i got is "Invoking Web Activity failed with HttpStatusCode - 'Unauthorized', message - ''"

How can i update a app configuration key from azure data factory pipeline with managed identity?

azure-data-factoryazure-app-configuration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SathyamoorthyVijayakumar-MSFT avatar image
0 Votes"
SathyamoorthyVijayakumar-MSFT answered efitskie commented

Hello @efitskie,

Welcome to the Microsoft Q&A platform.

I am assuming you are making use of the endpoint referenced here : https://docs.microsoft.com/en-us/rest/api/appconfiguration/

if this is not the case, pls let me know.

Now, when you have set the Authentication to Managed Identity.

141850-image.png

While making call, the Identity of the ADF is considered. i.e. when you create an ADF, an identity in the name of Azure Data Factory is created. This identity goes and tries to pull information.

At my end, I had given permission only to a managed identity (user) and I was encountering the Unauthorized error - as ADF Identity was not having sufficient permission at the App config level.


Option 1 :

You could add the Identity of the ADF in the IAM Section of the App Config and provide necessary roles.

141798-image.png

Click On Add. You will options to Add Managed Identity - you should choose that of the ADF.

Option 2 :

If you already Managed identities created and you'd like to use them.

Note :

Ensure It has sufficient priveleges at the App Config Level (IAM)

141826-image.png

Now, at the ADF end. Add a credential for this Managed Identity.


ADF --> Manage --> Credential --> New

141903-credentials2.gif

141902-image.png

Now at the Web Activity end. You will have to choose the authentication method as the user assigned identity and reference the credential you have created in the above step.

141904-image.png


Hope this will help. Please let us know if any further queries.


  • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how

  • Want a reminder to come back and check responses? Here is how to subscribe to a notification

  • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators






image.png (9.7 KiB)
image.png (57.9 KiB)
image.png (49.6 KiB)
credentials2.gif (1.1 MiB)
image.png (48.5 KiB)
image.png (11.4 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @SathyamoorthyVijayakumar-MSFT ,

Thank you for your response. I'm using the App Configuration rest endpoint indeed. My goal is to use the system assigned identity of the Azure data factory to Update a value for an App Configuration Key. I think this is the option 1 you describe.

For this i created an Azure Data Factory and App Configuration. The Azure Data Factory identity has the "App Configuration Data Owner" role in the App Configuration:

142318-image.png

In the Azure Data Factory i created an Web Activity that points to this App Configuration:

142264-image.png

When running this pipeline it fails with "Invoking Web Activity failed with HttpStatusCode - 'Unauthorized', message - ''"

142273-image.png

Is it possible to update an App Configuration Key with a new value in an Azure Data Factory Pipeline using system assigned managed identity?

0 Votes 0 ·
image.png (46.0 KiB)
image.png (44.2 KiB)
image.png (31.9 KiB)

Hello @efitskie,

Thank you for getting back.

There are two things to note here.

Note 1:

You are using the App Config Rest API (https://docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-keys)

You are hitting the https://yourappconfig.azconfig.io/keys?api-version=1.0

The Audience or the resource id should be https://yourappconfig.azconfig.io


Note 2:

You have given the owner role to the ADF identity. But the roles that are needed are

  1. Azure App Configuration Data Owner: This role provides full access to all operations.

  2. Azure App Configuration Data Reader: This role enables read operations.


The above roles are necessary to read the/write values to App Config. The owner role help managing the app config resource.

142427-image.png

Reference : https://docs.microsoft.com/en-us/azure/azure-app-configuration/rest-api-authorization-azure-ad


142436-image.png


Additional Note :
The permission change took almost 15 minutes to reflect at my end. After you make the role assignment changes, request you check the behavior after considerable time.


0 Votes 0 ·
image.png (36.6 KiB)

Hello @efitskie,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

0 Votes 0 ·
Show more comments