User-Assigned Managed Identity for Function App to access its own (hosting) storage

[ershadnozari]

I have created a User-Assigned Managed Identity that I have assigned to a Function App. I want to replace the Access Key connection string with the User-Assigned Managed Identity for the Function App to connects to its own stage, i.e., the hosting storage for the Function App. I have given the Storage Account Contributor, Storage Blob Data Owner, Storage Queue Data Contributor and Storage Table Data Contributor roles to the User-Assigned Managed Identity. What needs to be done to replace to storage account Access Key connection string with User-Assigned Managed Identity? I have tried to renaming the configuration AzureWebJobsStorage to AzureWebJobsStorage__accountName and replacing the Access Key connection string with the storge account name, as described in this tutorial: https://docs.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial, however this does not seem to work. I’m unable to reach the function app and get the following error in the logs: "statusCode":400,"message":"Unable to load requested managed identity.

[fabiocav]

@ershadnozari would you be able to share your app name so we can take a closer look?

@mattchenderson is there any other information we'd need to investigate this?

[ershadnozari]

@fabiocav thanks for response. The app is called funcapp12345, I have extracted all logic with the intention to only focus on the issue with User-Assigned Manage Identity and the Function App access to its own storage. It’s a .NET 6.0 Linux hosted In-process Function App with below configuration:

[dirkslab]

Document specifies to use system assigned identity, which we are using. Also using AzureWebJobsStorage__accountName in app settings. Though we do not get the 400 error as per above, we do get the following error in the Portal. Could we ignore?

Unable to retrieve diagnostics and error information for your function app. "AzureWebJobsStorage" app setting is not present. The function app needs to have a valid Azure Storage connection string configured for the app setting "AzureWebJobsStorage"

[nikki9696]

Document specifies to use system assigned identity, which we are using. Also using AzureWebJobsStorage__accountName in app settings. Though we do not get the 400 error as per above, we do get the following error in the Portal. Could we ignore?

Unable to retrieve diagnostics and error information for your function app. "AzureWebJobsStorage" app setting is not present. The function app needs to have a valid Azure Storage connection string configured for the app setting "AzureWebJobsStorage"

I got here from a Google search for this same warning. Our function app does seem to work, but warnings make me nervous, especially since I seem to have lost my logging statements and wonder if it's related to this.

[Expecho]

So basically using any managed identity for the storage account only gets you half way since not only can you not use a user assigned identity, other settings pointing to the same storage account cannot use a managed identity at all. Is this on the roadmap already?

[fabiocav]

@nikki9696 the warning is due to a bug with the component performing health checks today. This is something we're addressing, and safe to ignore.