skip to Main Content

Since "managed identity for AzureWebJobsStorage" has been published for enabling the Function App to access the storage account I wanted to give it a shot and implement across our APIs. However, this didn’t work for Azure Function Linux Consumption Plan. The setup looks like that:

  • Function runtime: ~4
  • Python version: 3.9
  • Service Plan: Linux Consumption
  • System Identity activated and Blob Owner + SA Contributor is assigned to access the SA.
  • Deployment method:
    • Azure DevOps pipeline through task AzureFunctionApp@1
    • I’ve tried zip deployment and runFromPackage

My Issue is with the Application Settings. It’s not very clear to me which app settings beside AzureWebJobsStorage__accountName:[SA_NAME] should be configured. To be more concrete, the app setting WEBSITE_RUN_FROM_PACKAGE:1 according to MSFT documentation is not supported in consumption linux plan and WEBSITE_RUN_FROM_PACKAGE:[URL] must be used for it. Normally, without Managed Identity access, the deployment tools will take care of the adjusting by each deployment the URL and pointing it to the correct package name in the storage account. This adjustment is not happening with AzureWebJobsStorage__accountName, since it cannot access the storage account anyway.

How to test it? Simply by creating a cosumption linux python function in Azure and addingadjusting the AzureWebJobsStorage__accountName:[SA_NAME]. Then try to deploy the function with basic HTTPTrigger created in vscode.

I am not aware if the python http trigger code must be adjusted or not. Would be great if someone can provide more information about it and about the app settings.

2

Answers


  1. The below works on my side(Linux consumption plan):

    trigger:
    - none
    
    variables:
      # Azure Resource Manager connection created during pipeline creation
      azureSubscription: 'xxx'
      resourceGroupName: 'xxx'
      # Function app name
      functionAppName: 'xxx'
      # Agent VM image name
      vmImageName: 'ubuntu-latest'
    
      # Working Directory
      workingDirectory: ''
    
    
      storage_str: 'xxx'
    
    stages:
    - stage: Build
      displayName: Build stage
    
      jobs:
      - job: Build
        displayName: Build
        pool:
          vmImage: $(vmImageName)
    
        steps:
        - task: UsePythonVersion@0
          displayName: 'Use Python 3.9'
          inputs:
            versionSpec: 3.9 # Functions V2 supports Python 3.6 as of today
            architecture: 'x64'
    
        - bash: |
            pip install --target="./.python_packages/lib/site-packages" -r ./requirements.txt
          workingDirectory: $(workingDirectory)
          displayName: 'Install application dependencies'
    
        - task: ArchiveFiles@2
          displayName: 'Archive files'
          inputs:
            rootFolderOrFile: "$(System.DefaultWorkingDirectory)"
            includeRootFolder: false
            archiveType: zip
            archiveFile: "$(System.DefaultWorkingDirectory)/$(Build.BuildId).zip"
            replaceExistingArchive: true
    
        - task: PublishBuildArtifacts@1
          inputs:
            PathtoPublish: '$(System.DefaultWorkingDirectory)/$(Build.BuildId).zip'
            artifactName: 'drop'
            
    - stage: Deploy
      displayName: Deploy stage
      dependsOn: Build
      condition: succeeded()
    
      jobs:
      - deployment: Deploy
        displayName: Deploy
        environment: 'test'
        pool:
          vmImage: 'windows-latest'
    
        strategy:
          runOnce:
            deploy:
              steps:
              - task: DownloadPipelineArtifact@2
                displayName: 'Download Pipeline Artifact'
                inputs:
                  buildType: 'current'
                  artifactName: 'drop'
                  targetPath: '$(Pipeline.Workspace)/drop/'
              - task: AzureAppServiceSettings@1
                inputs:
                  azureSubscription: '$(azureSubscription)'
                  appName: '$(functionAppName)'
                  resourceGroupName: '$(resourceGroupName)'
                  appSettings: |
                    [
                      {
                        "name": "AzureWebJobsStorage",
                        "value": "$(storage_str)",
                        "slotSetting": false
                      }
                    ]
              - task: AzureFunctionApp@1
                inputs:
                  azureSubscription: '$(azureSubscription)'
                  appType: 'functionAppLinux'
                  appName: '$(functionAppName)'
                  package: '$(Pipeline.Workspace)/drop/$(Build.BuildId).zip'
                  runtimeStack: 'PYTHON|3.9'
    
    Login or Signup to reply.
  2. you can solve this by using a user-assigned identity.

    Just try adding this app setting:

    WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID = Managed_Identity_Resource_Id
    

    Source:
    https://learn.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package#fetch-a-package-from-azure-blob-storage-using-a-managed-identity

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search