Since "managed identity for AzureWebJobsStorage" has been published for enabling the Function App to access the storage account I wanted to give it a shot and implement across our APIs. However, this didn’t work for Azure Function Linux Consumption Plan. The setup looks like that:
- Function runtime: ~4
- Python version: 3.9
- Service Plan: Linux Consumption
- System Identity activated and Blob Owner + SA Contributor is assigned to access the SA.
- Deployment method:
- Azure DevOps pipeline through task AzureFunctionApp@1
- I’ve tried zip deployment and runFromPackage
My Issue is with the Application Settings. It’s not very clear to me which app settings beside AzureWebJobsStorage__accountName:[SA_NAME]
should be configured. To be more concrete, the app setting WEBSITE_RUN_FROM_PACKAGE:1
according to MSFT documentation is not supported in consumption linux plan and WEBSITE_RUN_FROM_PACKAGE:[URL]
must be used for it. Normally, without Managed Identity access, the deployment tools will take care of the adjusting by each deployment the URL and pointing it to the correct package name in the storage account. This adjustment is not happening with AzureWebJobsStorage__accountName
, since it cannot access the storage account anyway.
How to test it? Simply by creating a cosumption linux python function in Azure and addingadjusting the AzureWebJobsStorage__accountName:[SA_NAME]
. Then try to deploy the function with basic HTTPTrigger created in vscode.
I am not aware if the python http trigger code must be adjusted or not. Would be great if someone can provide more information about it and about the app settings.
2
Answers
The below works on my side(Linux consumption plan):
you can solve this by using a user-assigned identity.
Just try adding this app setting:
Source:
https://learn.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package#fetch-a-package-from-azure-blob-storage-using-a-managed-identity