Blog Post

Apps on Azure Blog
3 MIN READ

Troubleshooting Azure Functions Key Creation Failures

madhurabharadwaj's avatar
May 27, 2021

If you’re facing issues with Function App key creation, this document has a few troubleshooting tips that could help you fix it.

 

First, ensure you’ve reviewed these docs related to Function App storage connections:

Symptom:

Host level and Function level Key creation failure in Function Apps

 

Issue verification:

Portal - When your Function App is unable to create host level or function level keys, you may see these error messages:

 

 

 

 

AzCLI - If key creation fails with AzCLI, the error messages are as below:

 

 

 

In addition to this, Function execution could also be returning HTTP 401 (HTTP 500) in some cases.

 

Troubleshooting:

Function App keys are placed in the azure-webjobs-secrets folder in Blob Container. If this folder is missing, this could mean that the Function App is unable to connect to the storage account referenced by the Function App Application Setting “AzureWebJobsStorage”. This could happen either because of a network misconfiguration or because of an issue on the storage side. We will explore both these causes below.

 

  • Know the outbound Connectivity path for your Function App: Ensure the storage account referenced by the Function App Application Setting “AzureWebJobsStorage” is reachable from the Function App.
    • Does the storage account allow access to all networks? If not, what path do you expect the Function App to take to reach the Storage? (Internet/Virtual Network?)
  1. If you want the Function App to reach the storage account via its public IP, ensure the storage account allows all the IPs listed under outbound IPs in the Function App’s properties blade.
  2. If your App is integrated with a Virtual Network, ensure this subnet is allowed on the storage account firewall.

 

  • Missing WebJobs secrets folder?
    • Once you ensure network connectivity is present between the Function App and Storage, you should be able to see the azure-webjobs-secrets folder under Blob containers as seen below. If you don’t see this folder, it could be because of a missing Vnet integration.
    • I’ve seen cases where the Vnet & Subnet are allowed on the Storage Account Firewall but customers sometimes forget to actually integrate the App with the Vnet. This causes the secrets folder to be absent on the storage.
    • Also, ensure Service Endpoints/Private Endpoints are configured correctly.

 

  • Erroneous storage connection string?

 

  • Archived Blob Storage?
    • Check access tier for files inside azure-webjobs-secrets folder:

 

    • When a blob is in archive storage, the blob data is offline and can't be read or modified. To read or download a blob in archive, you must first rehydrate it to an online tier. You can't take snapshots of a blob in archive storage.

 

 

 

    • Solution: Rehydrated storage blobs to Hot - High priority mode. After about 75mins, the blobs will be ready with the modified access tier. Function Key creation will succeed now and the issue with HTTP 401 and HTTP 500 should be resolved.

 

I hope this helps! 

Updated May 27, 2021
Version 1.0
  • seadude's avatar
    seadude
    Copper Contributor

    Hello,

     

    I'm facing issues when trying to both Create a new Function Key and Delete a Function Key in staging Deployment Slots.

     

     

    Each Deployment Slot has 0% traffic when attempting to Create/Delete Key. Could you add a section to your guide for troubleshooting these instances?

    Thank you