Azure Functions triggered by servicebus complains about connection string 'AzureWebJobsServiceBus' is missing or empty

Question

I have a .netcore Azure Functions project working well in Visual Studio 2019 when I have a valid AzureWebJobsServiceBus in local.settings.json, but would not compile if that's missing or empty. I am using AD to authenticate my function to service bus, not through connection string. AzureWebJobsServiceBus is not used anywhere in my project. Here's my project.cs

I use Azure.Identity package and follow this post to use my credential to log in to Azure, and here's my function that's working:

    [FunctionName("ProcessNewMessage")]
    public async Task ProcessPaymentMessage([ServiceBusTrigger("topic", "subscription")] Message message, ILogger log) {
        var tokenProvider = TokenProvider.CreateManagedIdentityTokenProvider();
        QueueClient queueClient = new QueueClient($"sb://{Environment.GetEnvironmentVariable("ServiceBusEndPoint")}", Environment.GetEnvironmentVariable("GenericAuditQueueName"), tokenProvider);

        await queueClient.SendAsync(message);
    }

Before using AD to authenticate, I was using connection string and that's working too, but it's recommended to use AD.

To summarize, my Azure Function works with Service bus trigger when connection string is provided but not used by my code. How can I make my function work with AD without connection string?

Thanks a lot

Answer 1

If you want to configure Azure service bus trigger in Azure function with Azure AD auth, please set the service bus connection string as Endpoint=sb://<service-bus-resource>.servicebus.windows.net;Authentication=Managed Identity;. For more details, please refer to here.

For example

1. Enable MSI fro Azure function

2. Assign Azure RABC role (Azure Service Bus Data Owner) for the MSI

az role assignment create \
    --role $service_bus_role \
    --assignee $assignee_id \
    --scope /subscriptions/$subscription_id/resourceGroups/$resource_group/providers/Microsoft.ServiceBus/namespaces/$service_bus_namespace

4. Add service bus connection string in Azure function Application settings.

5. Code

 public static void Run([ServiceBusTrigger("test", "test", Connection = "myQueueConn")]string mySbMsg, ILogger log)
        {
            log.LogInformation($"C# ServiceBus topic trigger function processed message: {mySbMsg}");
        }

Answer 2

You cannot remove Service Bus connection string from Azure function app Service bus trigger as internal SDKs use it to make connection.

Saving your connection string of Service bus in Function App using key Vault: The Key Vault references feature makes it so that your app can work as if it were using App Settings as they have been, meaning no code changes are required. You can get all of the details from our Key Vault reference documentation, but I’ll outline the basics here.

This feature requires a system-assigned managed identity for your app. Later in this post I’ll be talking about user-assigned identities, but we’re keeping these previews separate for now.

You’ll then need to configure an access policy on your Key Vault which gives your application the GET permission for secrets. Learn how to configure an access policy.

Lastly, set the value of any application setting to a reference of the following format:

@Microsoft.KeyVault(SecretUri=secret_uri_with_version)

Where secret_uri_with_version is the full URI for a secret in Key Vault. For example, this would be something like: https://myvault.vault.azure.net/secrets/azurewebjobsservicebussecret/ec96f02080254f109c51a1f14cdb1931

You can use MSI for Azure Function App and Service Bus:

MSI for Function App: https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#add-a-system-assigned-identity

MSI for Service bus: https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-managed-service-identity#use-service-bus-with-managed-identities-for-azure-resources