Storage issue with managed identity for AzureWebJobsStorage

[TechWatching]

(There is no way to open an issue on https://github.com/azure/azure-functions-ux, "issues tab" is not enabled. That is why I create this issue here.)

When using managed identity for AzureWebJobsStorage, there is a warning on the portal indicating the storage is not configured properly.

I guess the portal checks that there is the AzureWebJobsStorage setting in the Function configuration. But with managed identity enabled, the setting used is AzureWebJobsStorage__accountName.

This warning makes us think something is wrong even if everything works perfectly. It should check that one of the 2 settings is set instead.

[TechWatching]

Just came across this answer after creating the issue.

@mattchenderson do you know when Azure Files will support managed identity so that AzureWebJobsStorage__accountName will be enough? I don't want to be rude, but it seems to me that without that the promise of removing secrets from the configuration of Function App running on Windows with the Consumption Plan is not fulfilled. That's a bit disappointing.

I was also wondering about the Storage Account Contributor role you mentioned that was needed. My Function seems to work fine just with the Storage Blob Owner Role. So I was wondering is the contributor role was still needed.

[Ved2806]

Hi @mattchenderson Do you have any inputs on this?

[Ved2806]

Hi @TechWatching Are you still facing this issue?

[TechWatching]

I am still facing this issue yes. The answer I linked above explains why it's a problem. I don't know if anything has been implemented or when it will be implemented to make everything work.

[Ved2806]

Hi @TechWatching Please refer the issue #2244 and let us know if it helped? Thanks.

[msftbot[bot]]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

[TechWatching]

@Ved2806 It does not. The issue you mentioned is about localsettings.json. My issue is with the portal :

The problem is already mentioned in a comment of this closed issue. From my understanding, the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING setting is needed for Azure Files mounting which is used by Azure Functions at the platform layer. However, having this implies using a secret, and the whole point of using Managed Identity for Azure Storage was to avoid using a secret for Azure Storage. The comment says that Azure Files does not support using AAD identities for SMB mounting, so my question is when it is planned to be supported. It seems something is missing here.

[mattchenderson]

@TechWatching The Azure Files team would be best equipped to field that request. https://feedback.azure.com is probably the best place - I thought an item for that existed there already but am having trouble finding it at the moment. We have requested this of them internally as well.

My recommendation in general is to keep Azure Files on function apps if you need it / are concerned about the scaling impact mentioned there, but at least manage that value within Key Vault. That moves the secret away from the function app configuration at the very least.

Regarding the Storage Account Contributor, that should only be needed if you are using a blob trigger, I believe. The account metadata needs to be read to handle the $logs collection used for managing the trigger state.

[Ved2806]

Hi @TechWatching, Does this answered your question? Can we close it as resolved?

[msftbot[bot]]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.