Posted by ArielSimon 20 hours ago
It’s pretty clear if you check github that Azure’s services and documentation are written by distributed teams with little coordination. We have a saying in-house that the info is all in their docs, but the sentences and paragraphs for even trivial things are split across ten or fifteen articles.
I see a problem like granting */read in an innocuously named role and am left wondering if it was pragmatism, because figuring out least privilege was tough, or a junior who didn’t know better and was just trying to make progress.
I’m on a phone and can’t search git effectively, but I’d swear there was a comment or note on the golang implementation of msal saying that it used non-idiomatic go with no real support for many of the auth flows in v1 because it was written by an enthusiastic junior dev and released with little review. The modern version looks better, but I felt like I got a window into Azure back when I read that.
Building large services is hard, my hat is off that Microsoft is making it work, but sometimes we get to see that it’s just teams of developers doing it for them and those teams look a lot like the teams we work with every day. There’s no secret sauce, except that MS has the resources to iterate until the thing mostly works most of the time.
I've come to the same conclusion after dealing (and reporting) jankyness in both the Azure (ARM) API and especially the CLI. [0] is a nice issue I look at every once in a while. I think an installed az cli is now 700 MB+ of Python code and different bundled python versions...
It would be a garbage fire in any language
Python is installed on most systems and easy to install when it's not. Only Azure is dumb enough to bundle it, and that was a complaint in the bug - there's no good reason to do so in this day and age.
The performance bottle neck in all three is usually the network communication - have you seen cases where the Python CLI app itself was using 100% of a CPU and slowing things down? I personally haven't.
Looking at the crazy way Azure packaged their CLI, it's hard to believe they weren't making it bloated on purpose.
Not on Windows.
And which Python are you talking about? I mean, Python3 is forward compatible but you SoL if you have the bad luck of having an older interpreter installed and you want to run a script which uses a new construct.
You can say that for the APIs themselves. It's like every API call has 80% of the info I want, but the other 20% that logically belongs with that 80% has to come from multiple other API calls.
The one that annoys me on a daily basis is fetching the logs for a pipeline run. The endpoint is `_apis/build/builds/<id>/logs` and it returns a list of pipeline log objects without the task name that generated them. You get an object with these fields: `{"lineCount", "createdOn", "lastChangedOn", "id", "type", "url"}` but no mention of the pipeline stage that generated it.. whether it's the build step, test run, publishing stage, etc. And those ids change (for example if you re-run a failed job, the unit tests may have ID 4 from the first run, and ID 17 for the second try), so you can't just rely on that.
And the pipeline log viewer on the website is garbage. When you click the link to view the logs it doesn't show you the logs it's collected already but starts showing new logs from that point forward and even for that, sometimes it truncates output and will skip lines. Somehow they managed to make trawling through logs even worse than it would normally be.
… it was written by an enthusiastic junior dev and released with little review
While totally plausible, that's kinda besides the point IMO. This shows regardless of how it happened, they don't have sufficient test coverage of these roles. Meaning built-in roles cannot be trusted.
I'm not sure I've ever heard of a shop adopting Azure on pure engineering merit but my anecdata are hardly exhaustive. it tends to be forced for weird business reasons (retailers mistrusting Amazon, data residency requirements, sweetheart credit deal, CIO convinced by Azure rep over golf)
Azure came late and decided by decree that they needed a Cloud thing and so various business units came together and offered up a "strategy" for how they could re-brand and re-market what they had into a "unified offering".
And so you get things like Azure blob storage with fixed limits on performance per bucket. There's nothing cloud about it. Not so much leaky abstractions as a bucket of water labelled "cloud".
I think that product managers are AWS' and GCP's unsung heroes. One of the best things about AWS is how in contrast everything is designed to integrate exceptionally well with everything in the AWS ecosystem, and all services are designed to be simple, kept simple, and kept backwards compatible even when subjected to major upgrades. Which are always seamless.
In contrast, can anyone explain why Azure has Table Storage but also Cosmos DB, and Cosmos DB is actually half a dozen storage services? Why isn't Table Storage also Cosmos DB, then? Table Storage shares SDKs with CosmosDB, too.
The same applies to messaging. You have Storage Queues, Service Bus queues, Event Hub, and Event Grid. Even when you ask Azure experts what's the difference between, say, Storage Queues and Service Bus Queues, the answer is never clear, simple, straight-forward, or understandable.
It's a mess, and those who have to deal with it are left to navigate this mess.
It would be nice if they provided a simple setup configuration option for simple setups.
BUT all three of them (AWS, Azure and GCP) have pros and cons, so you just have to spend a good amount of time learning their quirks.
and too much string to hang yourself with
In my mind, "not well designed" would be "I cannot represent my security need in this policy language" versus the more common opinion "AWS IAM is a black box" means "I cannot understand why I am getting a 403"
GCP's IAM is, in this premise, not well designed because I cannot express ReadOnlyAccess in their policy language without having a constantly updating policy job, because they do not have wildcards in the Action as does AWS. Contrast `Action: ["s3:Get*"]` which would cheerfully include access to a future GetBucketV7 verb to GCP's "storage.buckets.get" which must always be specified, in full, and when storage2.buckets.get comes out, it's my job to find all references and patch them
It is, without any question. Even of you work at a Microsoft shop, the benefits you get from vertical integration isn't that clear. Azure requires a far greater cognitive load to handle and to make matters worse ultimately experiences far more outages.
There's another common fix, which is to apply a permission boundary to IAM roles. This allows the use of generic policies like "ReadOnlyAccess" but can then be further downscoped to resources by tag (or other similar ABAC schemes)
With Amazon, you are genuinely the customer. AWS may do many things in a bizarre or byzantine way, but it is constantly trying to be there for the developer in ways that many competitors in my opinion are not.
I will agree, and this is a general Microsoft problem spanning back to the 90s, some error messages aren't useful what so ever. Others are clear and concise. I figure this is due to the different PGs following their own set of rules.
What pisses me off the most about Azure is now they designed it as the 90's view of what a cloud provider is. With Azure you don't just provision a VM or God forbid a web service. No no no. You need to provision an app service plan first, where you have to provision what computational resources you allocate to it, and then assign services and even gasp function-as-a-service apps. And even with FaaS stuff you don't just provision a handler. No, that would make too much sense. First you need to provision a function app running on your service plan, and you provision whatever azure functions you need as part of the function app. How much accidental complexity is that? Can't I just deploy an app or God forbid a function?
The same think applies to storage, but it's even worse. You get your storage account, and you need to providion a storage account to be able to provision one or more blob storage containers, azure tables, even simple queues. But wait, you need a storage account to store data in a nosql services, but if you opt for the other nosql service then that's an entirely different thing. For that you can simply go ahead and create an account. You can use the same SDK for both? That's nice. Wait, why do they have two nosql services?
Azure, man. It exists to make every single alternative look good.
You certainly can do it in the way you've specified but I only see that as useful if you're provisioning multiple Web Services to point to a single App Service.
But to answer your question, yes you can "just" provision a Function or Web Service, the wizard walks you through it. The App Service behind the scenes is just details and not something you must interact with post-Function creation.
That's not a solution because deployment steps aren't a problem. The brain-dead aspect of Azure is how it forces users to handle the complexity of having to deal with provisioning and budgeting what computational resources used to run a set of web apps. This doesn't even buy isolation. If I'm paying for cloud services, why on earth should I concern myself with how much RAM I need to share across N apps? It's absolutely brain dead.
When I ran public sites each received it's own App Service, though they were provisioned via ARM template because that's what you do (or Terraform, etc) rather than get into the UI or manual CLI in an enterprise. All of these complaints you're bringing forth are a non-issue in a practical deployment.
You don't. You also do not have to share the same service plan with any other app service or function app. That's besides the point. The point is that Azure requires anyone who wants to run a god damned web service or even a single event handler to provision a bunch of infrastructure resources, just to be in a position to even consider deploying the thing.
I mean, you need to have both an Azure Service Plan and an Azure Storage Account to even consider deploying something serverless. Let that absurdity sink in.
In contrast, with AWS you just deploy the damned Lambda. That's it.
> (...) though they were provisioned via ARM template (...)
That is completely besides the point. It's irrelevant how any IaC offering turns any provisioning into a one-click affair. What's relevant is accidental complexity created by Azure for no reason at all. Go look at your ARM templates and count the number of resources you need to have there just to be able to run a single no-op event handler. It's stupid.
Quote: „Default hosting plan that provides true serverless hosting“
This one doesn’t require an app service plan.
Actually I like that offering, depending on your requirements you have several options to host your functions. That’s pretty great.
If they would offer just one kind of function app or one kind of storage solution people would complain that their very important edge case is not supported. For those simple requirements you can use cloudflare, vercel etc…
It requires a plan. You need to know what a plan is and what plan your azure functions are running on. Is it a consumption plan? Or is it a flex consumption plan?
I mean, you can run multiple function apps on the same plan. As a developer, you are required to know which plan a particular function app is running on, and be aware of the implications.
You see how brain dead it is?
You open vscode, install the Azure Functions extensions, walk through the wizard to pick your programming language and write the code. Then create and deploy it from vscode without ever leaving your IDE.
You are talking about something entirely different. Provisioning a function app is not the same as deploying the function app. How easy it is to upload a zip is immaterial to the discussion.
Edit: And yes, it will create every resource it needs if you want to, except for the subscription.
On top of having to have an Azure subscription, you need to provision:
- a resource group
- a service plan
- a function app
You do not get to skip those with azure.
And by the way, the only time anyone uses vscode to deploy an app, or even visual studio, is to work on personal projects or sandbox environments. Even so, you use the IDE to pick existing resources to deploy to.
All of this can easily be automated/cloned if it is something you do often. An RG is a collection of (hopefully) related resources. Plans and the App are provisioned together in the web UI wizard if that's the route you take.
I'm trying to educate you on the topic, but you seem to offer resistance.
I mean, I haven't even mentioned the fact that in order to be able to provision an azure function you are also forced to provision a storage account. As if the absurdity of the whole plan concept wasn't enough.
> All of this can easily be automated/cloned if it is something you do often.
Irrelevant. It's completely besides the point how you can automate deploying all those resources.
The whole point is that Azure follows an absurdly convoluted model that leaks forces users to manage many layers of low-level infrastructure details even when using services that supposedly follow serverless computing models. I mean, why on earth would anyone have to provision a storage account to be able to deploy an Azure Function? Absurd.
Why do you care about a storage account so much?
https://learn.microsoft.com/en-us/azure/azure-functions/func...
Since you didn't know about the [Flex] Consumption plan, there's your education.
And as to why they require a storage account:
https://learn.microsoft.com/en-us/azure/azure-functions/stor...
Wallah, education!
At scale you'd IaC such as Bicep.
No, I wasn't. I was pointing out the fact that Azure follows an absurd, brain-dead model of what the cloud is, which needlessly and arbutrarily imposes layers of complexity without any reason.
Case in point: the concept of a service plan. It's straight up stupid to have a so-called cloud provider force customers to manage how many instances packing X RAM and Y vCPUs you need to have to run a function-as-a-service app, and then have to manage how that is shared with app services and other function apps.
Think about the backlash that AWS would experience if they somehow decided to force users to allocate EC2 instances to run lambda functions, and on top of that create another type of resource to group together lambdas to run on each EC2 instance.
To let the absurdity of that sink in, it's far easier, simpler, and much cheaper to just provision virtual private servers on a small cloud provider, stitch them together with a container orchestration service, and just deploy apps in there.
You're not forced to, you can use a consumption plan.
https://azure.microsoft.com/en-us/pricing/details/functions/...
Pray tell, what do you think is relevant in citing how many plans you can pick and choose from to just run a simple function? I mean, are you trying to argue that instead of one type of plan, you have to choose another type of plan?
But it disproves your point that you're "forced" to have an app service plan.
At this point you're simply arguing to argue after having been shown to be incorrect multiple times. Good luck.
You won’t get any benefits until you have dozens of instances of the same(ish) thing, and maybe not even then!
Especially in the dev stage it is perfectly fine to use the wizards in VS or VS Code.
The newer tooling around Aspire.NET and “azd up” makes this into true IaC with little effort.
Don’t overthink things!
PS: As a case in point I saw an entire team get bogged down for months trying to provision something through raw API calls that had ready-to-run script snippets in the docs and a Portal wizard that would have taken that team all of five minutes to click through… If they’re very slow with a mouse.
What's funny is you're completely backwards here. Microsoft has a much more modern view of the cloud than AWS where everything is a thin veneer over EC2. Azure started as PaaS first and AWS started as IaaS first and that fingerprint is still all over their products. Building everything in a VM is the most expensive and naive way to adopt the cloud. It's the main reason why complexity and costs blow up. You're building in the cloud wrong and somehow seemed to have missed that a consumption based Function app is the default option and doesn't require an App Service Plan.
Irrelevant. I don't care about either history or revisionism. I care about deploying apps/functions. In AWS each lambda function is a standalone resource, whereas in AWS you need to 1) provisional an app service plan, 2) deploy a function app on said service plan, 3) deploy the actual function. It's nuts.
Same goes for storage. While in AWS you just go ahead and create a S3 bucket, on Azures you have to providion storage accounts and then provision a blob storage container.
> Building everything in a VM is the most expensive and naive way to adopt the cloud.
Azure is more expensive, harder to manage, even more impossible to estimate costs. Making claims about cost as if it makes Azure look good sounds completely crazy.
I recommend you spend a few minutes going through an intro tutorial on Azure Functions. A key topic on Azure Functions 101 is the concept of a plan and how to pick a hosting option. You can start by reading this link:
https://learn.microsoft.com/en-us/azure/azure-functions/func...
Once you read this link, you'll be aware that even in their so-called serverless plan that follows a "serverless billing model" you still have a plan tucked away where you can run multiple function apps in if you really want to.
Even if you pretend this doesn't exist, you need to ask yourself what is a plan and what does it matter to you and why do you care. Do you think that picking a plan does not factor as a concern in Azure?
You must be joking!
I was looking a various Container Registry products and looked up Azure's recently. It has the following limits (On the premium SKU!): 50Mbps upload, 100Mbps down
What sort of a cloud product has limits like this! What a clown show.
https://learn.microsoft.com/en-us/azure/container-registry/c...
Do they specify ay SLA other than the minimums? If not, I'm sorry to tell you, but they only offer the minimum and anything over that is a pleasant surprise.
I think that Azure AD is literally built on top of Active Directory. That's what you need to do if your goal is to help your customers, who already usd Active Directory, to seamlessly onboard onto their authentication system.
If you stop and think for a moment, you'd understand that it would be absurd not to do that. You have an army of institutional clients already using AD for everything. Are you going to force them to onboard onto another auth system after convincing them that AD suited all their needs?
Anyhow, they seem to try to distance themselves with their rebranding to Entra.
> Roles fucking inherit??? Like are you kidding me?
What do you think is wrong with that?
Wdym?
i tested the identity to make sure it couldn't do privilege escalation...still, wtf? it might be my own fault where i'm doing something wrong, but that shouldn't even be possible for somebody to create a managed identity that would inherit from other identities. i don't trust that it's ok and i shouldn't be spending time figuring out if it is, i expect tightly scoped identities to just work...
and
https://stackoverflow.com/questions/76618129/prevent-roles-f...
Especially regarding the SO question, I get the feeling that author is misunderstanding something.
Where exactly are you seeing what exactly that might imply some kind of inheritance chain?
You may have seen the identity's IAM page. It does not show roles assigned to the identity.
> Lower levels inherit role permissions from higher levels...When you assign a role at a parent scope, those permissions are inherited to the child scopes
https://learn.microsoft.com/en-us/azure/role-based-access-co...
so i guess this what you said is confidently wrong lmao like you couldn't even be more wrong:
> Then I'll lay it out: there is no inheritance at all. An identity does not inherit roles and it certainly does not inherit other identities.
i misspoke calling it "identity inheritance" and not "scope inheritance" tho my first comment said "role inheritance" but the fact that there is any sort of inheritance involved at all with my rbac roles is very poor design decision. and the fact that i can misunderstand this and spend hours of company time trying to understand it, and still failing....when this should be an intuitive, 101-level thing for cloud design. but nah i gotta spend time going through like ten different docs piecing together knowledge and pentest my own work and also argue with some guy on the internet who called himself adept at azure and doesn't know this either (which further proves my point!)
What I wrote is, in fact, accurate. An identity cannot inherit a role. It is simply impossible. What would it inherit from? The identity does not actually exist where it appears in the control plane (ie. in a resource group). It exists in Entra ID (formerly Azure AD).
There is but one possibility for a newly created identity to actually have roles assignments: Automation via policy. Now that I think about it, there might be another: assigning roles to special groups like "Authenticated users".
from the docs: https://learn.microsoft.com/en-us/azure/role-based-access-co...
https://www.lastweekinaws.com/blog/azures_vulnerabilities_ar...
This is from a few years ago but nothing seems to have changed. A cursory search of the Wiz blog with "Azure" reveals so many horrific (cross tenant, trivial to exploit) security vulnerabilities it's hard to imagine many people at Azure care about security. And that's just from one group of security researchers, from Wiz, there are others such as OP.
The main problem raised by the article is a governance failure.