azure-functions-host
azure-functions-host copied to clipboard
Azure
FlexConsumption Deployment AzureDevops Error
- I am using dotnet-isolated runtime and version 8.0
- I have deployed Flex Consumption plan and app via Bicep.
- I am using the
AzureWebJobsStorage__accountnameapp setting and system assigned identity which I have givenStorage Blob Data Contributoraccess to the storage account. - I am using vnet integration and the subnet also has access to the storage account.
- I am using
az functionapp deployment source config-zipCLI task in AzurePipelines yml file to deploy the code to the container I am using inside the deployment settings. However, the task always fails with:"ERROR: Failed to fetch host key to check for function app status".
Any ideas? I do have other app settings for things like service bus which I have given access to with the identity as above.
Please find the bicep template below. I apologise if I've raised this in the wrong repository.
resource flexApp 'Microsoft.Web/sites@2023-12-01' = {
name: appName
kind: 'functionapp,linux'
location: location
tags: {
app: app
environment: environment
}
properties: {
httpsOnly: true
serverFarmId: flexPlan.id
virtualNetworkSubnetId: subnetId
siteConfig: {
appSettings: appSettings
minTlsVersion: '1.2'
http20Enabled: true
publicNetworkAccess: 'Enabled'
cors: {
allowedOrigins: [
corsUrl
]
}
}
functionAppConfig: {
deployment: {
storage: {
type: 'blobContainer'
value: 'https://${storageAccountName}.blob.${az.environment().suffixes.storage}/${storageContainerName}'
authentication: {
type: 'SystemAssignedIdentity'
}
}
}
scaleAndConcurrency: {
maximumInstanceCount: numOfInstances
instanceMemoryMB: 2048
}
runtime: {
name: runtimeName
version: netFrameworkVersion
}
}
}
identity: {
type: 'SystemAssigned'
}
}
In the portal I also see this
Two things to check with vnet integration
- You need to add Microsoft.Storage service endpoint to your virtual network, you can find it at ([your virtual network]\Settings\Service endpoints).
- You need to register Microsoft.App service provider in your subscription, you can find it at ([your subscription]\Settings\Resource providers). Search for Microsoft.App and register it if not already.
Hi @chrisgray94 , did the above suggestion help?
The BadGateway error from the host runtime and the Failed to fetch host key issue suggest that your Azure Function app is unable to properly communicate with required resources, likely due to networking, authentication, or storage access issues.
I suggest you go through the docs and confirm your settings/configuration.
https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-vnet https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#azurewebjobsstorage
I will go ahead and close this issue now. Please reach out if the issue still persists.
As far as I know deploying Azure functions with a storage account that uses only managed / system identities using Azure DevOps has never worked,
https://github.com/microsoft/azure-pipelines-tasks/issues/18105 https://github.com/microsoft/azure-pipelines-tasks/issues/17020
Though maybe since you're using az functionapp directly and not the built in functions deploy task it would work? I think the underlying problem is whatever service principal Azure DevOps is using would also need access to the storage account to do the deployment. It seems like a pretty big design flaw in the Linux functions.
Did you get this working @chrisgray94 ? I'm seeing the same issue
I have a Elastic Premium function app which works fine using managed identity without azure files and figured this should work too given that it's newer.
I will go ahead and close this issue now. Please reach out if the issue still persists.
i am also seeing this with user assigned identity and storage account.
`resource "azurerm_function_app_flex_consumption" "main" {
count = var.flex_consumption ? 1 : 0
name = "func-${var.name}-${var.location}" resource_group_name = azurerm_resource_group.main.name location = azurerm_resource_group.main.location service_plan_id = data.azurerm_service_plan.core.id
storage_container_type = "blobContainer" storage_container_endpoint = "${azurerm_storage_account.function.primary_blob_endpoint}${azurerm_storage_container.flex[0].name}" storage_authentication_type = "UserAssignedIdentity" storage_user_assigned_identity_id = azurerm_user_assigned_identity.function.id
identity { type = "SystemAssigned, UserAssigned" identity_ids = [ azurerm_user_assigned_identity.function.id ] }
runtime_name = "dotnet-isolated" runtime_version = "8.0" maximum_instance_count = 50 instance_memory_in_mb = 2048
site_config { application_insights_key = var.application_insights_key use_32_bit_worker = false cors { allowed_origins = ["https://portal.azure.com"] support_credentials = true } }
app_settings = { "FUNCTION_MANAGED_IDENTITY" = azurerm_user_assigned_identity.function.client_id "STORAGE_BLOB_CONNECTION_STRING" = azurerm_storage_account.data.primary_connection_string "STORAGE_QUEUE_CONNECTION_STRING" = azurerm_storage_account.data.primary_connection_string "EVENTGRID_INTERNAL_ENDPOINT" = azurerm_eventgrid_topic.main.endpoint "EVENTGRID_EXTERNAL_ENDPOINT" = data.azurerm_eventgrid_topic.core.endpoint } } `
Hey @matthetherington, @markti - Sam here, I work on the deployment area. Is this issue only occuring in Flex Consumption and deploying via AZ CLI command?
I can take a deeper look if you can provide an app name and timestamp where you observed issues.
If you're not comfortable sharing the app name here, feel free to provide the invocation ID, and we can look up the associated app name for you.
it definitely seems like there is an issue accessing storage. will share the func name in Teams DM
I have the exact same problem with user-assigned managed identity for internal storage. The deployment succeeds and code works, but the host key part fails. When looking at the function keys from Portal, it says "Error while loading host keys" (InternalServerError)
Hey @toni-miettinen, can you check if you possibly:
- Have both
AzureWebJobsStorageandAzureWebJobsStorage__accountName/AzureWebJobsStorage__blobServiceUri? - Have access keys disabled on the storage associated with
AzureWebJobsStorage?
I've observed that when the secrets-based and MI-based connections to AzureWebJobsStorage is present, the platform may attempt the secret-based and consequently fail if access keys were disabled.
I checked and
- access keys were enabled, disabling made no difference
- both
AzureWebJobsStorageand__accountName&__blobServiceUriare defined
Am I correct to assume that if config-zip deployment succeeds when webjobs storage has access keys disabled, the connection has been successful with MI?
My deployment pipeline is running in a hosted agent inside a peered VNet
I don't think this is fixed yet?. Shouldn't the bot close as not planned when auto closing? 7 days seem a bit short of a time to auto close issues, people could be ill or go on vacation.
Hey @toni-miettinen, do you happen to have AzureWebJobsStorageSecretStorageType defined as well?
According to my mental model, if both AzureWebJobsStorage: <connection_string> and (AzureWebJobsStorage__accountName: <storage_account> or `AzureWebJobsStorageBlobServiceUri:
What happens when you delete AzureWebJobsStorage: <connection_string>? Also make sure that AzureWebJobsStorageSecretStorageType, if it exists, doesn't point to Azure Files or some other store that might have its access inhibited.
Hi @im-samz, I tried with the only storage-related setting being AzureWebJobsStorage__accountName and the result is unfortunately same. Access keys enabled or disabled on storage account is the same.
