As we are aware, Azure Files currently does not support identity-based connections. This means that even if we can use identity-based host connections to replace the AzureWebjobsStorage, which uses a SAS token, we still cannot remove the file share connection strings (WEBSITE_CONTENTAZUREFILECONNECTIONSTRING) that also rely on a SAS token. Therefore, we are unable to disable the SAS token in the storage account.
For now, when creating function apps in the consumption/EP plan, we have the option to create an app without Azure File. In this scenario, we can bypass the SAS token requirement for Azure Files and solely utilize managed identity to access the storage account.
To run your app without relying on Azure file share, you need to fulfill the following requirements:
1. Deploy your package to a remote Azure Blob storage container.
2. Set the URL that grants access to the package as the WEBSITE_RUN_FROM_PACKAGE app setting.
This approach allows you to store your app content in Blob storage, which does support managed identities, instead of Azure Files.
Now let's see how to proceed replace file share and SAS token conncetion in consumption/EP function app.
1. To create a function app without a file share, you can uncheck the "Add an Azure Files connection" option under the "Storage" panel when creating the function app through the Azure Portal.
2. After the creation, navigate to the function app and enable the System Assigned identity.
3. Go to the Storage account and navigate to IAM. Assign the Storage Blob Data contributor role to the function app.
4. Create a new blob container to store your function app's zip package and copy the URL of the file.
5. Now, return to the function app and proceed with replacing the SAS token. Navigate to Environment variables and modify the AzureWebjobsStorage to AzureWebJobsStorage__accountname, setting its value to the storage account name. Then, set the app to run from the URL by adding the app setting WEBSITE_RUN_FROM_PACKAGE and setting its value to the file URL copied in the previous step.
6. Please note that when specifying a URL for the app to read, you must manually sync triggers after publishing an updated package. You can sync triggers using one of the following methods:
- Restart your function app in the Azure portal.
- Send an HTTP POST request to
https://{functionappname}.azurewebsites.net/admin/host/synctriggers?code=<API_KEY>
using the master key. - Send an HTTP POST request to
https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.Web/sites/<FUNCTION_APP_NAME>/syncfunctiontriggers?api-version=2016-08-01
. Replace the placeholders with your subscription ID, resource group name, and the name of your function app. This request requires an access token in theAuthorization
request header.