Forum Discussion
Deploy an Azure Functions from Azure DevOps, when Shared Access Key is disabled
Hello everyone,
we are currently trying to switch from accessing storage accounts via Keys to Managed Identities.
The Azure Function itself can connect and runs properly.
However, the deployment from Azure Devops with a Service Connection fails.
First of all, if we enable Shared Access Key, the deployment works.
Our Service Connection (or its Service Principal equivalent) does have the role "Storage Blob Data Owner" and "Storage Account Contributor" on the storage account, which is associated to the Azure Function.
Those are the logs in Azure Devops:
2024-03-20T11:10:56.9288532Z ##[section]Starting: Azure Function App Deploy: ...
2024-03-20T11:10:56.9397034Z ==============================================================================
2024-03-20T11:10:56.9397175Z Task : Azure Functions Deploy
2024-03-20T11:10:56.9397264Z Description : Update a function app with .NET, Python, JavaScript, PowerShell, Java based web applications
2024-03-20T11:10:56.9397401Z Version : 2.231.1
2024-03-20T11:10:56.9397470Z Author : Microsoft Corporation
2024-03-20T11:10:56.9397543Z Help : https://aka.ms/azurefunctiontroubleshooting
2024-03-20T11:10:56.9397646Z ==============================================================================
2024-03-20T11:10:57.7755053Z Got service connection details for Azure App Service:'myfunction'
2024-03-20T11:10:59.9048911Z NOTE: Function app is VNet integrated.
2024-03-20T11:11:00.3281392Z Updating App Service Application settings. Data: {"WEBSITE_RUN_FROM_PACKAGE":"1"}
2024-03-20T11:11:00.3281938Z Deleting App Service Application settings. Data: ["WEBSITE_RUN_FROM_ZIP"]
2024-03-20T11:11:00.3282701Z App Service Application settings are already present.
2024-03-20T11:12:16.1360522Z Validating deployment package for functions app before Zip Deploy
# Note the 16 minutes gap in the log
2024-03-20T11:28:45.9140232Z Package deployment using ZIP Deploy initiated.
2024-03-20T11:30:04.8196594Z ##[error]Failed to deploy web package to App Service.
2024-03-20T11:30:04.8205941Z ##[warning]Can't find loc string for key: KuduStackTraceURL
2024-03-20T11:30:04.8208831Z ##[error]KuduStackTraceURL https://$...-default:***@x....scm.azurewebsites.net/api/vfs/LogFiles/kudu/trace
2024-03-20T11:30:04.8210755Z ##[error]Error: Error: Failed to deploy web package to App Service. Internal Server Error (CODE: 500)
2024-03-20T11:30:05.5800401Z Successfully added release annotation to the Application Insight : ...
2024-03-20T11:30:13.9691627Z App Service Application URL: https://...
2024-03-20T11:30:14.0217051Z ##[section]Finishing: Azure Function App Deploy: ...
When connecting to the scm website, the mentioned logfiles do not exist.
Going to the portal and checking the Deployment Center logs, I get "No deployments found. If you have just configured CI/CD, refresh logs to find the latest deployments.".
Any ideas, why this is not working? What roles or permissions does my service connection need to deploy via managed identity?
To troubleshoot the issue with your Azure DevOps pipeline using a Service Connection with a Managed Identity to deploy to an Azure Function that connects to a storage account, consider the following:
Verify Managed Identity Permissions: Ensure that the Managed Identity used by your Azure Function has the necessary permissions on the storage account. At minimum, the Managed Identity should have the Storage Blob Data Contributor role on the storage account.
Check Azure DevOps Service Connection: Confirm that your Azure DevOps Service Connection is configured to use the Managed Identity. In the Service Connection settings, select the "Use managed identity" option and choose the appropriate Managed Identity.
Review Azure Function Configuration: Double-check the configuration of your Azure Function to ensure that it is correctly using the Managed Identity to access the storage account. If you are using environment variables or configuration settings, make sure they are set correctly.
If the issue persists, you may also want to check the Azure Function logs for any errors or warnings that could indicate the cause of the deployment failure.
ehsanmnsorMicrosoft
