Reputation: 1214
Managed Identity w/Azure Functions and Storage accounts
What is the appropriate way to use managed identity with Azure Functions and Storage accounts if the the AzureWebJobsStorage app setting is required by the function host? Is there a managed identity version of the storage account connection string that doesn't include the access key?
Upvotes: 3
Views: 1317
Answers (2)
Reputation: 8711
It is now possible to configure a function app to authenticate with its storage account via managed identity.
Full details are available here
In summary, in the app settings for the function app:
- delete setting for "AzureWebJobsStorage"
- create a new app setting named "AzureWebJobsStorage__accountName"
- the value of the new setting should be the name of the storage account
Ensure the function app has "Storage Blob Data Owner" role over the storage account. If the function app uses the storage account's queue (e.g. queue binding) then it will also need "Storage Queue Data Contributor" role.
Upvotes: 3
Reputation: 6647
While you can't use Managed Identity to authenticate to the storage account directly, you can store the access key in Key Vault and fetch it from there using Key Vault References using Managed Identity.
Just wanted to share this because I believe its great to use KeyVault References instead of directly using access keys in the app settings.
Upvotes: 2
Related Questions
- How to assign Azure Managed Identity to Azure Storage Account?
- Unable to use 'User-managed identity' with Azure Function App
- How to use ManagedIdentity in Azure Function storage account connection string
- Azure Functions access to Azure Storage Account Firewall
- User assigned managed identity with azure function - is it possible?
- Azure Function - securing access to storage account
- Azure API Management + Azure Function and managed identity
- Azure Functions storage account network security
- Azure Function Storage Account
- Azure - Multiple Cloud Services, Single Storage Account