Reputation: 2306
Configuring Azure Workload Identity for KEDA with Azure Event Hub in Azure Container Apps (with Bicep)
I'm attempting to set up autoscaling for an Azure Container App using the Event-Hub KEDA scaler. The application needs to authenticate to Azure Event Hub using a user-managed identity. I've understood that KEDA supports Azure workload identity for this purpose, but I'm having trouble configuring it correctly, especially the identityId for the workload identity within the scaling rule.
From my research and existing documentation (e.g., KEDA docs, Azure samples), I've found that Azure supports both pod identity and workload identity for such scenarios, but detailed examples for Azure Container Apps are scarce.
Here's a snippet of my Bicep template where I'm trying to set up the scaling rule:
resource app 'Microsoft.App/containerApps@2022-03-01' = {
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${managedIdentity.id}': {}
}
}
properties: {
// Omitted for brevity...
template: {
// Omitted for brevity...
scale: {
rules: [
{
name: 'eh-keda-scale',
custom: {
type: 'azure-eventhub'
metadata: {
consumerGroup: containerAppName,
unprocessedEventThreshold: '64',
// Possibly needed according to the Keda event-hub docs?
eventHubNamespace: eventHubNamespace,
eventHubName: eventHubName,
// Attempt to configure workload identity
// Unsure how to properly specify `identityId` here
},
auth: [
{
secretRef: 'clientIdentitySecret',
triggerParameter: 'identityId'
// How should `identityId` be configured for workload identity?
}
]
}
}
]
}
}
}
}
Here is the reference I've used.
https://github.com/kedacore/sample-dotnet-worker-servicebus-queue/?tab=readme-ov-file https://keda.sh/docs/2.13/scalers/azure-event-hub/
Unfortunately, the documentation is not clear on HOW to configure the workload identity, and in particular how and where to configure the identityId. There's some clues here:
But nothing concrete for a pod or workload identity. The Bicep reference for the resource type is:
Upvotes: 0
Views: 467
Answers (1)
Reputation: 2306
Apparently this is not supported at the time of writing.
Using managed identities in scale rules isn't supported. You'll still need to include the connection string or key in the secretRef of the scaling rule.
I'm going to work around it by fetching the number of partitions in my event hub and scaling my min and max replicas to this.
Upvotes: 0
Related Questions
- does Azure Analysis Services have support for SystemAssigned Manged identity througth bicep template
- Scaling Issue with Azure Container App using KEDA and Private Endpoint Queue
- Azure Cosmos DB / DocumentDB - With CMK: How to set default identity?
- How to enable diagnostics with bicep for Azure Web PubSub?
- Azure function scaling with event hub
- KEDA scaler not working on AKS with trigger authentication using pod identity
- Azure event hub error when debugging with Visual Studio
- Event Hub triggered Azure Function running on AKS with KEDA does not scale out
- Managed Identity Azure Role Assignment for Streaming Job