You want to connect your blob triggered function to a storage account, but you don’t want to put your connection string or secrets into the configuration. Prior to Azure Blobs extension 5.0.0, this was your only option, but not anymore. With these later versions you can now connect to your storage account using a managed identity. Here are the simple steps involved to make this happen.
We have the following resources that we are using to demonstrate this setup.
Azure Function, v4 with a managed identity. You will just need to make sure you are using Azure Blobs extension version 5.0.0 or later. You can install this extension using NuGet tools (Visual Studio) or the .NET Core CLI (Visual Studio Code) for C#, if you are using a Non-.NET language the extension bundles are recommended. You will need at least Bundle version 3.x which contains the 5.x versions of the extensions. You can see which extensions are in Bundle version 3.x from the extensions file.
Storage Account with a container
In our example we will be using a different storage account than the one that is created with our function by default. That one is usually denoted as the ‘AzureWebJobsStorage’ account in the configuration. As a side note, you can also connect to that storage account using a Managed Identity. You can find the documentation for that here as well as a blog on that specific subject here.
Azure Function App
You will need to make sure you have a function app created that you can use. How it is created does not matter; however, you do need to ensure a few of the settings are appropriately configured. First is you need to ensure the system assigned managed identity is enabled. You will also need to update the storage account connection name to match the connection name in your trigger.
Please see the Step-by-Step below to see this in action, but the convention for this setting is ‘<CONNECTION_NAME>__serviceUri’. If this is a new function, then you can add the new setting using the CONNECTION_NAME you have configured in your code, but if it is an existing function that is using a connection string, you will want to replace it with this new setting. If you want to dig deeper into the details, check out the full document on setting up identity-based connections for Azure Blog storage triggers.
Just like for the function, this can be any storage account with a container created. In our example we have a container called test.
You will also need to make sure you grant the appropriate permission to the managed identity within the storage account. For our example we will need Storage Blob Data Owner and Storage Queue Data Contributor since we are using the Trigger binding. If you are using different bindings you can check the permissions you need to grant in the documentation. We will go over this in detail in the Step-by-Step below.
How to test
Go out to the storage account and the container that you’ve setup (test in our case) and upload a file. Once the file is uploaded, go over to the Log Stream in Azure Function App (or the Log Stream of the specific Azure Function) and watch for the logs to show it being processed. Please see the Step-by-Step below for screenshot of what this looks like.
Enable System Assigned Managed Identity on Function App
Add the following roles to the Storage Account Access Control(IAM): Storage Blob Data Owner and Storage Queue Data Contributor
Go to the Access Control (IAM) blade of the Storage Account, click the +Add dropdown and select ‘Add role assignment’
Search for the role you are trying to assign, in our case you will have to do this one at a time. Select the role and it will take you to the Members screen.
Now select Managed identity and click the +Select members link and that will open up the ‘Select managed identities’ blade on the right side of the screen.
Choose your options here, the Subscription should be filled out for you but you will want to select ‘Function App’ for Managed identity, and that will filter down the list of function app identities in the list. Select the function we are working on and hit save at the bottom of this blade.
This will take you back to the ‘Add role assignment’ screen to review your selections. If all looks good then click Review + assign.
Make sure to complete these steps for each role and then go to the Role assignments tab of the Access Control (IAM) blade and you should see your roles added like this:
Go back to your function app, then select Configuration and update the Storage Account connection in App Settings by setting the `<CONNECTION_NAME>’ setting to `<CONNECTION_NAME>__serviceUri’ and then the value should be the blob storage uri: https://<storage_account_name>.blob.core.windows.net
Test you function by going to the storage account, select your container (test in our case).
Click the upload button which will allow you to upload a file from your computer.
This will open the ‘Upload blob’ blade on the right. Drag and drop files or browse for them on your computer and hit ‘Upload’ button.
Now you can go back to your function app and go to the Log Stream blade and watch the function process your blob.
That's it! You've successfully configured an identity-based connection to Azure Blob storage for your Azure Function. If you have any questions, please comment below.