First, sign in to your Azure account using the Azure CLI:
az loginor
az login --use-device-codeChoose a location and create a resource group:
az group create --name rgRelabeler --location "West Europe"Azure Functions require a storage account. Create one using the following command:
az storage account create --name saRelabeler --resource-group rgRelabeler --location "West Europe" --sku Standard_LRSCreate the Function App where your function will reside:
az functionapp create --resource-group rgRelabeler --consumption-plan-location westeurope --runtime powershell --runtime-version 7.4 --functions-version 4 --name fRelabeler --storage-account sarelabelerYou can create a user-assigned managed identity using the Azure Portal, Azure CLI, or Azure PowerShell. Below are the instructions using Azure CLI and PowerShell.
az identity create --name identityRelabeler --resource-group rgRelabeler --location westeuropeor
New-AzUserAssignedIdentity -Name "identityRelabeler" -ResourceGroupName "rgRelabeler" -Location "westeurope"az identity show --name identityRelabeler --resource-group rgRelabeler --query "{clientId: clientId, id: id}" --output jsonor
$identity = Get-AzUserAssignedIdentity -Name "identityRelabeler" -ResourceGroupName "rgRelabeler"
$identity | Select-Object ClientId, Id | ConvertTo-Jsonaz functionapp identity assign --name fRelabeler --resource-group rgRelabeler --identities /subscriptions/{subscription-id}/resourcegroups/rgRelabeler/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityRelabeleror
$functionApp = Get-AzFunctionApp -Name "fRelabeler" -ResourceGroupName "rgRelabeler"
$userAssignedIdentity = "identityRelabeler"
$identity = Get-AzUserAssignedIdentity -Name $userAssignedIdentity -ResourceGroupName "rgRelabeler"
Set-AzFunctionApp -Name "fRelabeler" -ResourceGroupName "rgRelabeler" -AssignIdentity @($identity.Id)Now, you need to grant the user-assigned managed identity access to your Azure Key Vault. This involves setting appropriate access policies.
# Assign the role
az role assignment create --role "Key Vault Secrets User" --assignee-object-id $(az identity show --name identityRelabeler --resource-group rgRelabeler --query 'principalId' -o tsv) --scope /subscriptions/{subscription-id}/resourceGroups/rgRelabeler/providers/Microsoft.KeyVault/vaults/kvRelabeler --assignee-principal-type ServicePrincipalor
# Variables
$KeyVaultName = "kvRelabeler"
$ResourceGroup = "rgRelabeler"
$RoleName = "Key Vault Secrets User"
$IdentityName = "identityRelabeler"
# Get the Key Vault
$keyVault = Get-AzKeyVault -Name $KeyVaultName -ResourceGroupName $ResourceGroup
# Get the Managed Identity
$identity = Get-AzUserAssignedIdentity -Name $IdentityName -ResourceGroupName $ResourceGroup
# Assign the role
New-AzRoleAssignment -ObjectId $identity.PrincipalId -RoleDefinitionName $RoleName -Scope $keyVault.ResourceIdNavigate to your function project directory and deploy using Azure CLI: https://learn.microsoft.com/en-us/azure/azure-functions/functions-core-tools-reference?tabs=v2#func-azure-functionapp-publish
cd path/to/your/function/project
func azure functionapp publish fRelabeler --verboseAfter deployment, you can verify if your function is running correctly:
-
Azure Portal: Navigate to your Function App in the Azure Portal to check the status and logs.
-
Testing the Function: You can test your HTTP-triggered function using tools like
curlor Postman.
curl https://MyFunctionApp.azurewebsites.net/api/YourFunctionName?code=YOUR_FUNCTION_KEYaz functionapp deployment source config --name fRelabeler --resource-group rgRelabeler --repo-url https://github.com/yourusername/your-repo --branch main --manual-integration