Use User managed identity to replace connection string in"AzureWebJobsStorage" for function apps

Posted August 4, 20231 yr

Managing the connectivity between the function app and the storage account is crucial as the Azure Function runtime is stored in the Azure storage account. In case of a disconnection, you might run into common errors such as "Azure Functions runtime is unreachable". Fortunately, Microsoft has a helpful guide to address this issue, which provides self-help troubleshooting steps for recovering your storage account in case of such errors. You can check it out here: Troubleshoot error: Azure Functions Runtime is unreachable.

Previously, the only way to grant the permission for an Azure Function to access its runtime in a storage account was via the connection string in "azurewebjobsstorage" configuration. However, a new and more secure approach exists for granting a function app access to the storage account without compromising sensitive information. This method involves leveraging a "managed identity" to replace the connection string used in "azurewebjobsstorage". By adopting this approach, you can ensure that secrets remain private while still granting necessary permissions for the function app to operate seamlessly.

We already have detailed instructions available for replacing the connection string in "azurewebjobsstorage" using a "system-assigned identity". The tutorial can be found here: Create a function app without default storage secrets in its definition - Azure Functions. It's worth noting that both "system-assigned" and "user-assigned" identities are supported in this scenario. For those who prefer to use a "user-assigned" identity to replace the connection string, here are the instructions:

Instructions:

a. Prepare a user-assigned identity and copy client id for later use.