Blog Post

Apps on Azure Blog
2 MIN READ

Use managed identity instead of AzureWebJobsStorage to connect a function app to a storage account

Bobi_Bao's avatar
Bobi_Bao
Brass Contributor
Oct 24, 2022

In a function app, usually we use appsetting AzureWebJobsStorage to connect to storage. This blog shows you how to configure a function app using Azure Active Directory identities instead of secrets or connection strings, where possible. Using identities helps you avoid accidentally leaking sensitive secrets and can provide better visibility into how data is accessed.

 

This will not work if the storage account is in a sovereign cloud or has a custom DNS.

 

IMPORTANT! When running in a Consumption or Elastic Premium plan, your app uses the WEBSITE_AZUREFILESCONNECTIONSTRING and WEBSITE_CONTENTSHARE settings when connecting to Azure Files on the storage account used by your function app. Azure Files doesn't support using managed identity when accessing the file share. That is to say, if your functio app is running on Consumption/EP, plan, you can only delete and recreate function app on app service plan to avoid using File Share. For more information, see Azure Files supported authentication scenarios

 

Below are the steps to do configuration.

 

1. Enable system assigned identity in your function app and save it.

 

2. Give storage access to your function app. Search for Storage Blob Data Owner, select it.

 

 

 

 

 

 

3. If you configure a blob-triggered function app, repeat the step 2 to add Storage Account Contributor and Storage Queue Data Contributor roles which will be used for blob trigger.

 

 

 

4. Return to Access Control (IAM), click Role assignments, search for your function app name to confirm the roles are added successfully.

 

 

5. Navigate to your function app. Select Configuration and edit AzureWebJobsStorage. Change the name to AzureWebJobsStorage__accountname.  Change the value to your storage account name. (The new setting uses a double underscore (__), which is a special character in application settings.) 

 

 

6. Delete the previous AzureWebJobsStorage. Then you will find your function app still works fine.

 

 

 

 

 

Updated Jul 08, 2024
Version 3.0
azure active directory
azure functions
azure paas

56 Comments

Show More
  • alexandrenedelec's avatar
    alexandrenedelec
    Brass Contributor
    Oct 25, 2022

    Bobi_Bao Thanks for your answer. Do you know when will we be able to use WEBSITE_CONTENTAZUREFILECONNECTIONSTRING with managed identities? Because 
    the whole point of using https://docs.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial#use-managed-identity-for-azurewebjobsstorage-preview was to avoid using a secret for Azure Storage. If we can remove the secret for AzureWebJobsStorage but have to let the same secret for other secret settings used for the consumption plan, it's a shame.

  • Bobi_Bao's avatar
    Bobi_Bao
    Brass Contributor
    Oct 25, 2022

    Hi Alexandre Nedelec, although both of AzureWebJobsStorage and WEBSITE_CONTENTAZUREFILECONNECTIONSTRING are pointed to the storage, it doesn't mean they have equal effect. WEBSITE_CONTENTAZUREFILECONNECTIONSTRING only be used in consumption plan and elastic premium plan. Besides, WEBSITE_CONTENTSHARE and WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, these two settings are essential for the normal scale of the dynamic plan. The AzureWebJobsStorage__accountName can only replace AzureWebJobsStorage.

  • ershadnozari's avatar
    ershadnozari
    Copper Contributor
    Oct 24, 2022

    Is this possible using using User-Assigned Managed Identity? I posted a question around this on StackOverflow a while back https://stackoverflow.com/questions/73456357/user-assigned-managed-identity-for-function-app-to-access-its-own-hosting-stor

  • alexandrenedelec's avatar
    alexandrenedelec
    Brass Contributor
    Oct 24, 2022

    I use exactly that for a Function App I have. I replaced the setting AzureWebJobsStorage by AzureWebJobsStorage__accountname and removed the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING which also contains the connection string to the storage account. However, I have a warning message because the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING setting is needed for Azure Files mounting which is used by Azure Functions at the platform layer. However, having this implies using the secret connection string for the storage, and the whole point of using https://docs.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial#use-managed-identity-for-azurewebjobsstorage-preview was to avoid using a secret for Azure Storage. This https://github.com/Azure/azure-functions-host/issues/8135#issuecomment-1040879695 says that Azure Files does not support using AAD identities for SMB mounting. So my question is:  when is it planned to be supported? Is it already the case and I'm missing something?