-
Notifications
You must be signed in to change notification settings - Fork 824
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure ImdsManagedIdentityProvider does not work in Azure functions #4976
Comments
Your diagnosis would appear to be correct, thank you for the detailed report, I'll try to get a fix for you to try out |
|
Hi - still get the same error message when trying to run on an Azure function. Am running delta-rs version 0.15.3.
|
That looks like a different error and indicates that the workload is unable to communicate with the metadata endpoint. Have you followed the instructions here to configure an identity for your function? |
Hi @tustvold - thanks for responding. I have indeed set up an identity for the function. And am able to read the parquet files of the dataset using pyarrow, pyarrowfs-adlgen2, and ManagedIdentityCredential. |
I think we might have encountered the same problem @mortnstak, and this works for us:
|
Thanks a lot @tahaum - setting the azure_msi_endpoint resolved the issue. |
We ran into the same issue when running in an azure app container. We needed to use: |
Hello, I have ran into the same issue with the 0.17.3 version of the delta-rs library in Python. I enabled the system assigned managed identity on my Azure Function. I assigned it the Contributor role for the storage account. I defined storage options as such:
I get the following error:
I tried setting Any advice on what I'm doing wrong? |
@danielsandorsyntio this appears to be a general access issue. Ensure that the function app is able to read/write on the storage account without the delta-rs library. |
It seems like ImdsManagedIdentityProvider assumes one is running in a Azure VM, even though comments indicate that it is intended to also work in Azure functions.
We see it when running
(using the delta-rs package) in an Azure Function. Then we're getting the following error:
It looks like the endpoint set here does not work for Azure Functions, but Azure VMs (and other resource types?):
arrow-rs/object_store/src/azure/credential.rs
Line 404 in 03d0505
If we set the
msi_endpoint
in the storage_options explicitly using the IDENTITY_ENDPOINT environment variable found in the Azure Function we instead get the following error:Our hypothesis is that this is caused by https://github.com/apache/arrow-rs/blame/03d0505fc864c09e6dcd208d3cdddeecefb90345/object_store/src/azure/credential.rs#L463 and the assumption that the token responses looks like this:
In reality, the responses we get from the $IDENTITY_ENDPOINT looks like this (notice the absence of
expires_in
):MSI in azure functions documentation: https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#connect-to-azure-services-in-app-code
Related: delta-io/delta-rs#662
Maintainer (?) of relevant code: @roeap
The text was updated successfully, but these errors were encountered: