I have written a script for function app and it's storage account creation using terraform. I was having shared access key enabled for storage account but on azure portal in security it shows that function app should access storage account via managed identity, not via shared access key. So I made changes in my script: disabled shared access key and added argument storage_uses_managed_identity in function app added app setting - AzureWebJobsStorage__accountName granted functionapp principal_id storage blob data contributor role in storage account But still it is unable to connect. Can someone suggest what other changes can be made so that connectivity can be established. When I check in app insight there also it shows exception.

azureazure-functionsazure-blob-storageazure-storageazure-managed-identity

Reputation: 17

Issue in function app and storage account connectivity

I have written a script for function app and it's storage account creation using terraform.

I was having shared access key enabled for storage account but on azure portal in security it shows that function app should access storage account via managed identity, not via shared access key.

So I made changes in my script:

disabled shared access key and
added argument storage_uses_managed_identity in function app
added app setting - AzureWebJobsStorage__accountName
granted functionapp principal_id storage blob data contributor role in storage account

But still it is unable to connect.

Can someone suggest what other changes can be made so that connectivity can be established. When I check in app insight there also it shows exception.

Upvotes: 1

Answers (2)

Alexandru Ene

Reputation: 21

I hope this will help you. For me it works good.

resource "azurerm_windows_function_app" "this" {

.....................

  storage_uses_managed_identity = true
  storage_account_name          = var.storage_account_name

  identity {
    type = "SystemAssigned"
  }

  app_settings = {

    "WEBSITE_CONTENTSHARE"                     = var.storage_account_file_share_name
    "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING" = var.storage_account_connection_string
    "FUNCTIONS_EXTENSION_VERSION"              = var.functions_extension_version
    "FUNCTIONS_WORKER_RUNTIME"                 = var.functions_worker_runtime
  }

}

And don't forget to create the role assignment resource.

resource "azurerm_role_assignment" "this" {
  scope                = var.storage_account_id
  role_definition_name = "Storage Blob Data Contributor"
  principal_id         = azurerm_windows_function_app.this.identity[0].principal_id
}

Upvotes: 2

Pravallika KV

Reputation: 8694

To connect Azure function App with Storage account using Managed Identity:

Enable Managed Identity(System-Assigned or User-assigned)
Assign Storage Blob data Contributor role and Storage Blob data Owner role to the function App in the Storage Account=>Access Control(IAM)=>Add Role Assignment:

enter image description here

Change the application setting AzureWebJobsStorage to AzureWebJobsStorage__accountname. with storage account name as its value.

I have followed the above-mentioned steps and able to connect the Function App with Storage Account.

enter image description here

References:

Use managed identity instead of AzureWebJobsStorage to connect a function app to a storage account

Upvotes: 0

Issue in function app and storage account connectivity

Answers (2)

Related Questions