Host level and Function level Key creation failure in Function Apps
Portal - When your Function App is unable to create host level or function level keys, you may see these error messages:
AzCLI - If key creation fails with AzCLI, the error messages are as below:
In addition to this, Function execution could also be returning HTTP 401 (HTTP 500) in some cases.
Function App keys are placed in the azure-webjobs-secrets folder in Blob Container. If this folder is missing, this could mean that the Function App is unable to connect to the storage account referenced by the Function App Application Setting “AzureWebJobsStorage”. This could happen either because of a network misconfiguration or because of an issue on the storage side. We will explore both these causes below.
Know the outbound Connectivity path for your Function App: Ensure the storage account referenced by the Function App Application Setting “AzureWebJobsStorage” is reachable from the Function App.
Does the storage account allow access to all networks? If not, what path do you expect the Function App to take to reach the Storage? (Internet/Virtual Network?)
If you want the Function App to reach the storage account via its public IP, ensure the storage account allows all the IPs listed under outbound IPs in the Function App’s properties blade.
If your App is integrated with a Virtual Network, ensure this subnet is allowed on the storage account firewall.
Missing WebJobs secrets folder?
Once you ensure network connectivity is present between the Function App and Storage, you should be able to see the azure-webjobs-secrets folder under Blob containers as seen below. If you don’t see this folder, it could be because of a missing Vnet integration.
I’ve seen cases where the Vnet & Subnet are allowed on the Storage Account Firewall but customers sometimes forget to actually integrate the App with the Vnet. This causes the secrets folder to be absent on the storage.
Also, ensure Service Endpoints/Private Endpoints are configured correctly.
When a blob is in archive storage, the blob data is offline and can't be read or modified. To read or download a blob in archive, you must first rehydrate it to an online tier. You can't take snapshots of a blob in archive storage.
Solution: Rehydrated storage blobs to Hot - High priority mode. After about 75mins, the blobs will be ready with the modified access tier. Function Key creation will succeed now and the issue with HTTP 401 and HTTP 500 should be resolved.