cookbook.geuer-pollmann.de
  • Introduction
  • Command line utilities
    • bash scripting
    • cURL command line utility
    • ffmpeg - Processing Media
    • JOSE from the command line
    • jq
    • Misc. command line tools
    • Zettelkasten / Markdown
  • Azure
    • Logging in to Azure
    • Working with the REST API
    • Tracing HTTP requests with Fiddler
    • Upload a file from bash
    • Azure CLI
    • terraform
    • Azure Logic Apps
    • Azure Web Apps
    • Azure Python code snippets
    • SSH keys in ARM
    • Minimal "Azure AD Workload identity federation"
    • Federated credentials from GitHub and GitLab pipelines to Azure
    • Azure Marketplace Metered Billing- Picking the correct ID when submitting usage events
    • Manually submitting values to the Azure Metering API
    • How can a publisher/ISV access the data plane of an Azure managed application?
    • The checkZonePeers API: Is your availability zone "1" equal to my "1"?
    • Token authentication with "Azure Verizon Premium CDN"
    • Getting the right storage container name in a Bicep template
    • Event-sourcing into working memory to improve data access latency
    • Postgrex on Azure - Connecting to Azure PostgreSQL from Elixir
  • Productivity
    • Excel
    • Desktop Setup
    • Time handling and Scheduling
    • Elgato from the shell
    • Typora
Powered by GitBook
On this page
  • Determine the slot in which we're running
  • Via incoming HTTP header
  • Via system-assigned managed identity
  • Fetching a managed-identity access_token from PHP in an Azure Web App for Linux
Edit on GitHub
  1. Azure

Azure Web Apps

Azure Web Apps

PreviousAzure Logic AppsNextAzure Python code snippets

Last updated 3 years ago

Determine the slot in which we're running

Via incoming HTTP header

If your code in an Azure Web App for Linux needs to determine in which deployment slot it's running, then the incoming WAS-DEFAULT-HOSTNAME HTTP header seems to be the only reliable way. Also confirmed .

When you're in the production slot, then the value looks like this: someappname.azurewebsites.net. When you created a slot called stage1, then this header is someappname-stage1.azurewebsites.net. The absence of the suffix points to the production slot, otherwise the suffix gives the user-chosen name.

There's a second header called X_SITE_DEPLOYMENT_ID, but this one contains an identifier like someappname__f375, which isn't too helpful.

<h1>Server <?php echo $_SERVER['HTTP_WAS_DEFAULT_HOSTNAME']; ?></h1>

Via system-assigned managed identity

Another, certainly much more clear way, could be using a system-assigned managed identity, assuming you assigned one to all deployment slots. If you fetch an access_token, then the xms_mirid claim in the JWT contains the real instance ID, such as

  • "/subscriptions/.../resourcegroups/.../providers/Microsoft.Web/sites/someappname" for the production slot, or

  • "/subscriptions/.../resourcegroups/.../providers/Microsoft.Web/sites/someappname/slots/stage1" for the stage1 slot.

Fetching a managed-identity access_token from PHP in an Azure Web App for Linux

  • Inside Azure Web Apps for Linux, you can't simply query the instance metadata endpoint, you need a special endpoint from an environment variable https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#using-the-rest-protocol

  • Also api-version must be a special one

<?php
  $resource = 'https://storage.azure.com/';
  $endpoint = $_ENV["IDENTITY_ENDPOINT"];
  $params = array('api-version' => '2019-08-01', 'resource' => $resource);
  $url = $endpoint . '?' . http_build_query($params);
  $headers = array(
      'Metadata: true',
      'X-IDENTITY-HEADER: ' . $_ENV['IDENTITY_HEADER']
  );
  
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  $response = curl_exec($ch);
  curl_close ($ch);
  
  $response_json = json_decode($response);
  $access_token = $response_json->{'access_token'};
?>

<a href="https://jwt.ms/#access_token=<?php echo $access_token; ?>" target="_blank">
   See the JWT in https://jwt.ms
</a>
here