Azure
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING as keyvault reference makes deployment fail
Deployment failed. Correlation ID: f171c78c-ad28-4426-aea4-cd9ae0bf57e9. {
"Code": "BadRequest",
"Message": "The parameter 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' has an invalid value. Details: Cannot specify key vault references not referencing User Assigned Identity on Create Site.",
"Target": null,
"Details": [
{
"Message": "The parameter 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' has an invalid value. Details: Cannot specify key vault references not referencing User Assigned Identity on Create Site."
},
{
"Code": "BadRequest"
},
{
"ErrorEntity": {
"ExtendedCode": "01033",
"MessageTemplate": "The parameter '{0}' has an invalid value. Details: {1}.",
"Parameters": [
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
"Cannot specify key vault references not referencing User Assigned Identity on Create Site"
],
"Code": "BadRequest",
"Message": "The parameter 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' has an invalid value. Details: Cannot specify key vault references not referencing User Assigned Identity on Create Site."
}
}
],
"Innererror": null
}
Per comment here: https://github.com/Azure/azure-functions-host/issues/5306#issuecomment-696561132
Currently - WEBSITE_CONTENTAZUREFILECONNECTIONSTRING as a key vault reference is not supported for creation, it can only be the full connection string. Then, it can be updated to use key vault references
@mhoeger - If we are trying to only use ARM templates to accomplish the configuration of the App Function, I am trying to figure out how to update the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING with Key Vault reference after the initial deployment. I tried using this immediately after creating the function app:
{
"name": "[concat(variables('functionAppName'), '/appsettings')]",
"type": "Microsoft.Web/sites/config",
"apiVersion": "2020-09-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('functionAppName'))]"
],
"properties": {
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('appServiceStorageAccountKeyId'), '2019-09-01').secretUriWithVersion, ')')]"
}
}
However, I get this error even though I have a User Assigned Identity associated to the function app and the original creation step successfully created other settings with Key Vault references:
{ "status": "Failed", "error": { "code": "BadRequest", "message": "Unable to resolve Azure Files Settings from Key Vault. Details: Attempt to resolve AppSettingKey WEBSITE_CONTENTAZUREFILECONNECTIONSTRING resulted with status: MSINotEnabled.", "details": [ { "message": "Unable to resolve Azure Files Settings from Key Vault. Details: Attempt to resolve AppSettingKey WEBSITE_CONTENTAZUREFILECONNECTIONSTRING resulted with status: MSINotEnabled." }, { "code": "BadRequest" }, {} ] } }
What other option do we have?
Figured out my error on applying app settings after function app deployment
Hi is there an ETA on this issue? I am deploying a consumption plan based function app and is unable to perform a swap slot due to missing args in the app settings:
Error: BadRequest - Storage access failed. WEBSITE_CONTENTAZUREFILECONNECTIONSTRING or WEBSITE_CONTENTSHARE appsetting is missing (CODE: 400)
What would be the workaround for deploying using yml?
Hi,
This is a real issue. I am not able to reference keyvault in ARM/Bicep template function app env settings:
{ name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' value: '@Microsoft.KeyVault(SecretUri=
I am having the same problem, I cannot create a deployment slot off the main app if the app settings is using a key vault reference. I already tried 'allowing trusted Microsoft services' (ARM included) to bypass network restrictions and to enable the key vault for ARM deployments.
Maybe, using bicep, there is a way to execute an "update-setting-with-key-vault-ref" command immediately after deployment?
Currently - WEBSITE_CONTENTAZUREFILECONNECTIONSTRING as a key vault reference is not supported for creation, it can only be the full connection string. Then, it can be updated to use key vault references
Will this be fixed? Or should we implement the workaround as a solution?
Unable to resolve Azure Files Settings from Key Vault. Details: Unable to resolve setting: WEBSITE_CONTENTAZUREFILECONNECTIONSTRING with error: AccessToKeyVaultDenied. I am also facing same issue while setting functionapp appsetting from key vault using syntax '@Microsoft.KeyVault(SecretUri=https://${keyVaultName}${az.environment().suffixes.keyvaultDns}/secrets/${funcAppWebJobStorageName})
I received a slightly different error, but it's still an issue.
Failed to update web app settings: Unable to resolve Azure Files Settings from Key Vault. Details: Unable to resolve setting: WEBSITE_CONTENTAZUREFILECONNECTIONSTRING with error: MSINotEnabled.
I was just trying to enable it directly in the portal.
Currently - WEBSITE_CONTENTAZUREFILECONNECTIONSTRING as a key vault reference is not supported for creation, it can only be the full connection string. Then, it can be updated to use key vault references
Is this still the case? I am having this issue now.
Afaik yes. But there is a way if you can live with some limitations regarding scaling.
You can solely rely on the managed identity of your function app to connect to the host storage (there are docs for this). Even during creation this will work. In my case I even deactivated host key access to the storage account altogether, which renders Platin-Text connection strings unusable. If you want do this, leave the following two settings out of your deployment template and assign the proper RBAC permissions as laid out in the docs.
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING
WEBSITE_CONTENTSHARE
Would setting WEBSITE_SKIP_CONTENTSHARE_VALIDATION to 1 work?
https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#website_skip_contentshare_validation
