Use User managed identity to replace connection string in"AzureWebJobsStorage" for function apps
Published Aug 03 2023 08:26 PM 7,217 Views
Microsoft

Managing the connectivity between the function app and the storage account is crucial as the Azure Function runtime is stored in the Azure storage account. In case of a disconnection, you might run into common errors such as "Azure Functions runtime is unreachable". Fortunately, Microsoft has a helpful guide to address this issue, which provides self-help troubleshooting steps for recovering your storage account in case of such errors. You can check it out here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-recover-storage-account.

 

Previously, the only way to grant the permission for an Azure Function to access its runtime in a storage account was via the connection string in "azurewebjobsstorage" configuration. However, a new and more secure approach exists for granting a function app access to the storage account without compromising sensitive information. This method involves leveraging a "managed identity" to replace the connection string used in "azurewebjobsstorage". By adopting this approach, you can ensure that secrets remain private while still granting necessary permissions for the function app to operate seamlessly.

 

We already have detailed instructions available for replacing the connection string in "azurewebjobsstorage" using a "system-assigned identity". The tutorial can be found here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutoria.... It's worth noting that both "system-assigned" and "user-assigned" identities are supported in this scenario. For those who prefer to use a "user-assigned" identity to replace the connection string, here are the instructions:

 

Instructions:

a. Prepare a user-assigned identity and copy client id for later use.

denniszheng_4-1691117598709.png

b. Grant “Storage Blob Data Owner” for the identity in storage account.

denniszheng_5-1691117612563.png

c. Assigned user-assigned identity to the function app.

denniszheng_6-1691117666427.png

d. Add 3 corresponding appSettings.

AzureWebJobsStorage__accountName = Storage account name (System assigned identity only need this setting.)

AzureWebJobsStorage__clientId = Client id of user assigned identity.

AzureWebJobsStorage__credential = managedidentity

denniszheng_7-1691117703290.png

 

Then it is done. You would be able to run your function app correctly without “AzureWebJobsStorage”.

 

1 Comment
Co-Authors
Version history
Last update:
‎Aug 03 2023 08:43 PM
Updated by: