Share via

Authentication not granted first 24 hours after Azure Container app Job event driven scaling

Richard Jansen 0 Reputation points
2025-03-05T09:22:05.4466667+00:00

When we deploy our Azure Container App job, the first 24 hours the event driven scaling rule doesn't have permission to look up messages on our Azure Service bus Queue. After that time, the info-log in the Azure container app jobs goes away and it starts working as intended.

Error details

KEDAScalerFailed
<Error><Code>401</Code><Detail>Authorization failed for specified action: Manage,EntityRead,Send,Listen.</Detail></Error>

We are using Azure pipeline and bicep to deploy our resources with RBAC assignment. One of the roles for our Azure Container app job is Azure Service Bus Data Owner

Steps of deployment we follow the steps of System-assigned managed identity from the documentation

In our first infra deployment, we don't give permissions and set the trigger type to manual In the second deployment, we grant permissions to the different resources and set the container trigger to event

What I Need Help With:

  • Understanding how/why this happens
  • Reduce/minimize this time so after deployment of the resource and granting permissions of the resources, it will work directly
Azure Container Apps
Azure Container Apps
An Azure service that provides a general-purpose, serverless container platform.
562 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Khadeer Ali 3,750 Reputation points Microsoft External Staff
    2025-03-05T11:04:10.37+00:00

    @Richard Jansen ,

    Thanks for reaching out. The issue with the Azure Container App not having permissions to access the Azure Service Bus Queue for the first 24 hours after deployment is likely due to RBAC role assignment propagation delay. When roles are assigned to a Managed Identity, it can take time for the permissions to become effective, causing the KEDAScalerFailed error.

    To reduce or eliminate this delay:

    • Pre-assign Permissions: Assign roles before deploying the Azure Container App Job. This ensures permissions are available earlier.
    • Use a User-Assigned Managed Identity (UAMI): Instead of a System-Assigned identity (which resets on deployment), use a User-Assigned identity so the roles persist.
    • Verify Role Assignment Before Running the Job.
    • Wait for Propagation: Add a loop in your deployment script to check if permissions are active before enabling event-driven scaling.

    These steps should help minimize the RBAC propagation delay and ensure the KEDA scaler works immediately after deployment.
    Hope this helps. Do let us know if you have any further queries.

    If this answers your query, do click Accept Answer and Yes for "Was this answer helpful." And if you have any further questions, let us know

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.