Azure-Functions icon indicating copy to clipboard operation
Azure-Functions copied to clipboard
verified publisher icon Azure

Missing documentation on accessing multiple storage accounts with managed identity

Open noontz opened this issue 2 years ago • 2 comments

It is very difficult (impossible for me) to figure out if multiple storage accounts can be accessed from an azure function using managed identity.

Despite following the documentation I have been able to find, I still get a 403 when trying to access the storage account from an azure function with the documented setup for RBAC. As per the docs the IAM on storage accounts are set to Blob Storage Owner / Reader for the function.

Public network access is enabled from all networks to the storage account to exclude this as an issue.

I have not been able to find a tutorial or documentation of granting access to multiple storage accounts. The only hands on guide I could find is limited to the default function storage account requiring an explicit postfix on the default storage naming convention. (I did a brute force experiment with the same postfix naming convention on the other storage accounts with no luck)

  • If granting access to multiple storage accounts with managed identity is not possible this should be documented.
  • If it is possible to grant access to multiple storage accounts with managed identity a functional guide is required, as the current documentation seems inadequate.

I have raised a question on SO with more details.

noontz avatar Sep 11 '23 19:09 noontz

Thanks for reporting will discuss and update

bhagyshricompany avatar Sep 12 '23 10:09 bhagyshricompany

I believe I found the issue I was struggling with.

I experience that networking for the storage accounts require the "Public network access" setting to be "Enabled from all networks" for managed identity to work? I had the setting on "Enabled from selected virtual networks and IP addresses" with the outbound ips of the requesting Azure Function in the "Allow access" list. I'm confused why this should interfere with an identity token, but that seems to be the case? If my observation is correct this "mutual exclusiveness" should definitely be documented (if it isn't already somewhere I missed )

If there is a timespan from configuring the RBAC until it is effective, I recommend the expected / max timespan should be documented.

Another change I made during my brute force journey to make this work was changing my C# code from

var blobServiceClient = new BlobServiceClient("serviceUri", new DefaultAzureCredential());
var containerClient = blobServiceClient.CreateBlobContainerAsync("containerName");

to

var containerClient = new BlobContainerClient("serviceUriWithContainerName", new DefaultAzureCredential());

If this is a requirement, it should be documented as well.

I will delete the SO question so the previous link will be dead

noontz avatar Sep 12 '23 11:09 noontz