Introduction

Hello, my name is Muhammad Nabeel and I’m a Senior Customer Engineer at Microsoft. I help customers in their journey to use the Azure platform to build solutions. In a previous post, we introduced the new Azure Function Extension libraries for Storage, Event Hubs, Service Bus, and Event Grid. Now with Azure SDK’s Azure Function Extension Libraries (Beta) we can build truly secretless systems. The new extensions make it possible to use secretless configuration and authenticate via Azure Active Directory. These Azure platform capabilities eliminate the responsibility of managing and maintaining secrets for various services.

In this blog, I will demonstrate the new Azure Function Extension Libraries (Beta) for a secretless configuration of an IoT system. This configuration shifts the responsibility of managing secrets from an Azure Function operator to the Azure platform using Azure Active Directory. This post will show how data is flowing from Azure Digital Twins to Azure Event Hubs and consumed by an Azure Function with using secrets stored in configuration.

Here is a summary:

1. Set up Azure Digital Twins to route events to Event Hubs
2. Set up Azure Function App to process Event Hubs Trigger
3. Add code to Azure Function App to capture the Azure Digital Twins events coming through Event Hubs Trigger

Prerequisites

• Azure Subscription: For details on creating Azure subscription visit Create a subscription in the Azure portal.
• Admin Access to Azure AD Tenant & Azure Subscription: For details visit Grant tenant-wide permissions and Elevate access to manage all Azure subscriptions and management groups.
• PowerShell
  • macOS: PowerShell for Mac
  • Windows OS: PowerShell is built in
• Azure Digital Twins instance: The assumption is that the Azure Digital Twins is getting data from IoT device through Azure IoT Hub. For details how you can set up Azure Digital Twins with Azure IoT Hub visit Azure Digital Twins update.
• Azure Event Hub instance: For details on how to create Azure Event Hub visit Create an event hub using Azure portal. Make sure to retrieve the fully qualified namespace for the event hub. We will be using that in subsequent sections.
• Azure Function App: This app will be run without any secrets. In this post, we will configure this Azure Function App.

Architecture overview

There are two main components of the architecture:

• The Azure Digital Twins sending messages to Event Hubs.

• The Azure Function consuming the Event Hub messages using secretless configuration.

The underlying core of the architecture is the use of the beta version for Event Hubs Functions extensions that provides us to use Consume EventHub messages without having to use any secrets.

Set up Azure Digital Twins to route events to event hub

Routing events from Azure Digital Twins to Azure Event hub is a simple two-step process.

Create Azure Digital Twins Endpoint

Following image illustrates how to create an Azure Digital Twins Endpoint:

Create Azure Digital Twins Event Route

Following image illustrates how to create Azure Digital Twins Event Route:

Set up Azure Function App to process Event Hub Trigger

Following are the configurations that will enable secretless configuration.

Enabled Managed Identity for the Function App

To enable secretless configuration, we will use Azure Active Directory to authenticate Azure Function App. The first step in this process is to enable Managed Identity for the function app.

Here are the steps:

1. Sign in to the Azure portal and navigate to your Azure Function App that was mentioned in the prerequisite section.
2. On the left navigation menu select “Identity”.
3. On the “System assigned” tab, select “On” toggle button under “Status” heading.
4. Select “Save”.

Following image illustrates the steps:

Add application setting for EventHub connection

When we use Azure Function to listen to EventHub triggers, we add EventHubConnection as an application setting. Here is an example of such EventHubConnection setting:

"EventHubConnection": "Endpoint=sb://santacruz3203-digitaltwin-ehnamespace.servicebus.windows.net/;SharedAccessKeyName=EHPolicy;SharedAccessKey=Your-Shared-Access-Key=;EntityPath=santacruz3203-digitaltwin-eventhub"

You can see in above image, secret is included as part of the EventHubConnection setting.

The secretless configuration takes away the use of secrets in the configuration. So the above mentioned connection string will now look like this:

"EventHubConnection__fullyQualifiedNamespace": "santacruz3203-digitaltwin-ehnamespace.servicebus.windows.net"

There are two things worth noting from the above configuration setting:

1. There is no secret mentioned in the Application Setting for EventHubConnection.
2. Addition of “__fullyQualifiedNamespace” as part Application setting name. This change is how the beta version for Storage, Event Hubs, Service Bus, and Event Grid Functions extensions know to use secretless configuration.

Here are the steps to accomplish this change:

1. Sign in to the Azure portal and navigate to Azure Function App that was mentioned in the prerequisite section.

2. On the left navigation menu click “Configuration”.

3. On the “Application settings” tab, click “+ New application setting” button under “Application settings” heading.

4. Add “EventHubConnection__fullyQualifiedNamespace” as application setting name.

5. Add fully qualified namespace as application setting value. You can retrieve fully qualified namespace by opening Event Hub Namespace on Azure portal and retrieving the given for “Host name” as shown below:

6. Select “OK”.

7. Select “Save”.

Following image illustrates the above mentioned steps:

Add role assignment for Azure Function in Event Hub instance

The final part of the Azure Function configuration is enabling managed identity for Azure Function in EventHub.

Here are the steps:

1. Sign in to Azure portal and navigate to the EventHub that was mentioned in the prerequisite section. This will open EventHub instance controls.
2. On the left navigation menu select “Access control (IAM)”.
3. Select “+ Add”.
4. Choose “Add role assignment”.
5. On the “Add role assignment” panel, select:
   1. “Azure Event Hubs Data Receiver” as role.
   2. “Function App” for “Assign access to” pull-down menu.
   3. For subscription, select the subscription where the Azure Function belongs to.
   4. Select the Azure Function.
6. Select “Save”.

Following image illustrates the above mentioned steps:

Add code to Azure Function App

From a coding perspective, nothing changes when using secretless configuration. The Azure Function code will be written exactly the same way as for configuration with secrets. So if you have already written Azure Function having configuration with secrets, then you would not need to change the actual code. The only change will be on the configuration side. This has already been mentioned under the section “Set up Azure Function App to process Event Hub Trigger”.

Besides the configuration, we have to ensure we are using the Azure Function Extension Libraries (Beta). For the prerelease version of “Microsoft Azure WebJobs SDK EventHubs Extension“, the NuGet package should be added to Azure Function project.

Following Package Manager command can be used to install the package:

Install-Package Microsoft.Azure.WebJobs.Extensions.EventHubs -Version 5.0.0-beta.6

If Visual Studio is being used to develop Azure Function, then prerelease version of “Microsoft Azure WebJobs SDK EventHubs Extension” library should be added to Azure Function project as shown below:

Complete code can be found at aka.ms/AAd4roz

Here is how the code looks like:

using Azure.Messaging.EventHubs;
using Microsoft.Azure.WebJobs;
using Microsoft.Extensions.Logging;
using System;
using System.Collections.Generic;
using System.Linq;
using TwinsUpdateBetaFunctionApp.Model;

namespace TwinsUpdateBetaFunctionApp
{
    public static class TwinsUpdateBetaFunction
    {
        [FunctionName("TwinsUpdateBetaFunction")]
        public static void Run([EventHubTrigger("santacruz3203-digitaltwin-eventhub", Connection = "EventHubConnection")] EventData[] events, ILogger log)
        {
            var exceptions = new List<Exception>();
            foreach (EventData eventData in events)
            {
                try
                {
                    log.LogInformation($"Message received: {eventData.EventBody}");

                    // Deserialize the message into TwinMessage object. TwinMessage is a custom class representing the schema of Azure Digital Twins message.
                    TwinMessage twinMessage = eventData.EventBody.ToObjectFromJson<TwinMessage>();

                    // Here add your code to further process TwinMessage.

                    log.LogInformation($"Message processed");
                }
                catch (Exception e)
                {
                    exceptions.Add(e);
                }
            }

            if (exceptions.Count > 1)
                throw new AggregateException(exceptions);

            if (exceptions.Count == 1)
                throw exceptions.Single();
        }
    }
}

Let us take a look at the code.

• The flow starts when event hub triggers this function.
• On the trigger we get a list of events.
• For each event date (part of events list), we are reading the message body.
• Each message body is deserialized to get jToken for each data field.

The Azure Digital Twins, Update Function App, stops the flow to create an opening to bridge with other down stream systems. One example could be a frontend platform that shows the Azure Digital Twins updates data on a view.

Conclusion

Azure SDK is adding capabilities to allow secretless configuration implementation. This is huge in terms of management of secrets. With Azure Function Extension Libraries (Beta), cloud architectures can be designed that use Azure AD for authentication without the need of maintaining secrets. In the post, we learned that it is possible to build an IoT system without secrets.

Azure SDK Blog Contributions

Thank you for reading this Azure SDK blog post! We hope that you learned something new and welcome you to share this post. We are open to Azure SDK blog contributions. Contact us at azsdkblog@microsoft.com with your idea and we’ll get you set up as a guest blogger.

Azure SDK Links

• Azure SDK Website: aka.ms/azsdk
• Azure SDK Intro (3-minute video): aka.ms/azsdk/intro
• Azure SDK Intro Deck (PowerPoint deck): aka.ms/azsdk/intro/deck
• Azure SDK Releases: aka.ms/azsdk/releases
• Azure SDK Blog: aka.ms/azsdk/blog
• Azure SDK Twitter: twitter.com/AzureSDK
• Azure SDK Design Guidelines: aka.ms/azsdk/guide
• Azure SDKs & Tools: azure.microsoft.com/downloads
• Azure SDK Central Repository: github.com/azure/azure-sdk
• Azure SDK for .NET: github.com/azure/azure-sdk-for-net
• Azure SDK for Java: github.com/azure/azure-sdk-for-java
• Azure SDK for Python: github.com/azure/azure-sdk-for-python
• Azure SDK for JavaScript/TypeScript: github.com/azure/azure-sdk-for-js
• Azure SDK for Android: github.com/Azure/azure-sdk-for-android
• Azure SDK for iOS: github.com/Azure/azure-sdk-for-ios
• Azure SDK for Go: github.com/Azure/azure-sdk-for-go
• Azure SDK for C: github.com/Azure/azure-sdk-for-c
• Azure SDK for C++: github.com/Azure/azure-sdk-for-cpp