Question 104852 in Azure Question posted in
The official documentation to get you started can be found here.

Azure Function (Consumption Linux Plan) is not working with System Identity to access the storage account for zip deployment

Since "managed identity for AzureWebJobsStorage" has been published for enabling the Function App to access the storage account I wanted to give it a shot and implement across our APIs. However, this didn’t work for Azure Function Linux Consumption Plan. The setup looks like that:

  • Function runtime: ~4
  • Python version: 3.9
  • Service Plan: Linux Consumption
  • System Identity activated and Blob Owner + SA Contributor is assigned to access the SA.
  • Deployment method:
    • Azure DevOps pipeline through task AzureFunctionApp@1
    • I’ve tried zip deployment and runFromPackage

My Issue is with the Application Settings. It’s not very clear to me which app settings beside AzureWebJobsStorage__accountName:[SA_NAME] should be configured. To be more concrete, the app setting WEBSITE_RUN_FROM_PACKAGE:1 according to MSFT documentation is not supported in consumption linux plan and WEBSITE_RUN_FROM_PACKAGE:[URL] must be used for it. Normally, without Managed Identity access, the deployment tools will take care of the adjusting by each deployment the URL and pointing it to the correct package name in the storage account. This adjustment is not happening with AzureWebJobsStorage__accountName, since it cannot access the storage account anyway.

How to test it? Simply by creating a cosumption linux python function in Azure and addingadjusting the AzureWebJobsStorage__accountName:[SA_NAME]. Then try to deploy the function with basic HTTPTrigger created in vscode.

I am not aware if the python http trigger code must be adjusted or not. Would be great if someone can provide more information about it and about the app settings.

Tags:

2

Answers


  1. 0

    The below works on my side(Linux consumption plan):

    trigger:
- none

variables:
  # Azure Resource Manager connection created during pipeline creation
  azureSubscription: 'xxx'
  resourceGroupName: 'xxx'
  # Function app name
  functionAppName: 'xxx'
  # Agent VM image name
  vmImageName: 'ubuntu-latest'

  # Working Directory
  workingDirectory: ''


  storage_str: 'xxx'

stages:
- stage: Build
  displayName: Build stage

  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)

    steps:
    - task: UsePythonVersion@0
      displayName: 'Use Python 3.9'
      inputs:
        versionSpec: 3.9 # Functions V2 supports Python 3.6 as of today
        architecture: 'x64'

    - bash: |
        pip install --target="./.python_packages/lib/site-packages" -r ./requirements.txt
      workingDirectory: $(workingDirectory)
      displayName: 'Install application dependencies'

    - task: ArchiveFiles@2
      displayName: 'Archive files'
      inputs:
        rootFolderOrFile: "$(System.DefaultWorkingDirectory)"
        includeRootFolder: false
        archiveType: zip
        archiveFile: "$(System.DefaultWorkingDirectory)/$(Build.BuildId).zip"
        replaceExistingArchive: true

    - task: PublishBuildArtifacts@1
      inputs:
        PathtoPublish: '$(System.DefaultWorkingDirectory)/$(Build.BuildId).zip'
        artifactName: 'drop'
        
- stage: Deploy
  displayName: Deploy stage
  dependsOn: Build
  condition: succeeded()

  jobs:
  - deployment: Deploy
    displayName: Deploy
    environment: 'test'
    pool:
      vmImage: 'windows-latest'

    strategy:
      runOnce:
        deploy:
          steps:
          - task: DownloadPipelineArtifact@2
            displayName: 'Download Pipeline Artifact'
            inputs:
              buildType: 'current'
              artifactName: 'drop'
              targetPath: '$(Pipeline.Workspace)/drop/'
          - task: AzureAppServiceSettings@1
            inputs:
              azureSubscription: '$(azureSubscription)'
              appName: '$(functionAppName)'
              resourceGroupName: '$(resourceGroupName)'
              appSettings: |
                [
                  {
                    "name": "AzureWebJobsStorage",
                    "value": "$(storage_str)",
                    "slotSetting": false
                  }
                ]
          - task: AzureFunctionApp@1
            inputs:
              azureSubscription: '$(azureSubscription)'
              appType: 'functionAppLinux'
              appName: '$(functionAppName)'
              package: '$(Pipeline.Workspace)/drop/$(Build.BuildId).zip'
              runtimeStack: 'PYTHON|3.9'
    Login or Signup to reply.
  2. 0

    you can solve this by using a user-assigned identity.

    Just try adding this app setting:

    WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID = Managed_Identity_Resource_Id

    Source:
    https://learn.microsoft.com/en-us/azure/azure-functions/run-functions-from-deployment-package#fetch-a-package-from-azure-blob-storage-using-a-managed-identity

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search