In a function app, usually we use appsetting AzureWebJobsStorage to connect to storage. This blog shows you how to configure a function app using Azure Active Directory identities instead of secrets or connection strings, where possible. Using identities helps you avoid accidentally leaking sensitive secrets and can provide better visibility into how data is accessed.
This will not work if the storage account is in a sovereign cloud or has a custom DNS.
IMPORTANT! When running in a Consumption or Elastic Premium plan, your app uses the WEBSITE_AZUREFILESCONNECTIONSTRING
and WEBSITE_CONTENTSHARE
settings when connecting to Azure Files on the storage account used by your function app. Azure Files doesn't support using managed identity when accessing the file share. That is to say, if your functio app is running on Consumption/EP, plan, you can only delete and recreate function app on app service plan to avoid using File Share. For more information, see Azure Files supported authentication scenarios
Below are the steps to do configuration.
1. Enable system assigned identity in your function app and save it.
2. Give storage access to your function app. Search for Storage Blob Data Owner, select it.
3. If you configure a blob-triggered function app, repeat the step 2 to add Storage Account Contributor and Storage Queue Data Contributor roles which will be used for blob trigger.
4. Return to Access Control (IAM), click Role assignments, search for your function app name to confirm the roles are added successfully.
5. Navigate to your function app. Select Configuration and edit AzureWebJobsStorage. Change the name to AzureWebJobsStorage__accountname. Change the value to your storage account name. (The new setting uses a double underscore (__
), which is a special character in application settings.)
6. Delete the previous AzureWebJobsStorage. Then you will find your function app still works fine.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.