As we are aware, Azure Files currently does not support identity-based connections. This means that even if we can use identity-based host connections to replace the AzureWebjobsStorage, which uses a SAS token, we still cannot remove the file share connection strings (WEBSITE_CONTENTAZUREFILECONNECTIONSTRING) that also rely on a SAS token. Therefore, we are unable to disable the SAS token in the storage account.
For now, when creating function apps in the consumption/EP plan, we have the option to create an app without Azure File. In this scenario, we can bypass the SAS token requirement for Azure Files and solely utilize managed identity to access the storage account.
To run your app without relying on Azure file share, you need to fulfill the following requirements:
1. Deploy your package to a remote Azure Blob storage container.
2. Set the URL that grants access to the package as the WEBSITE_RUN_FROM_PACKAGE app setting.
This approach allows you to store your app content in Blob storage, which does support managed identities, instead of Azure Files.
Now let's see how to proceed replace file share and SAS token conncetion in consumption/EP function app.
1. To create a function app without a file share, you can uncheck the "Add an Azure Files connection" option under the "Storage" panel when creating the function app through the Azure Portal.
2. After the creation, navigate to the function app and enable the System Assigned identity.
3. Go to the Storage account and navigate to IAM. Assign the Storage Blob Data contributor role to the function app.
4. Create a new blob container to store your function app's zip package and copy the URL of the file.
5. Now, return to the function app and proceed with replacing the SAS token. Navigate to Environment variables and modify the AzureWebjobsStorage to AzureWebJobsStorage__accountname, setting its value to the storage account name. Then, set the app to run from the URL by adding the app setting WEBSITE_RUN_FROM_PACKAGE and setting its value to the file URL copied in the previous step.
6. Please note that when specifying a URL for the app to read, you must manually sync triggers after publishing an updated package. You can sync triggers using one of the following methods:
https://{functionappname}.azurewebsites.net/admin/host/synctriggers?code=<API_KEY>
using the master key.https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.Web/sites/<FUNCTION_APP_NAME>/syncfunctiontriggers?api-version=2016-08-01
. Replace the placeholders with your subscription ID, resource group name, and the name of your function app. This request requires an access token in the Authorization
request header.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.