skip to Main Content

I have written a script for function app and it’s storage account creation using terraform.

I was having shared access key enabled for storage account but on azure portal in security it shows that function app should access storage account via managed identity, not via shared access key.

So I made changes in my script:

  • disabled shared access key and
  • added argument storage_uses_managed_identity in function app
  • added app setting – AzureWebJobsStorage__accountName
  • granted functionapp principal_id storage blob data contributor role in
    storage account

But still it is unable to connect.

Can someone suggest what other changes can be made so that connectivity can be established. When I check in app insight there also it shows exception.

2

Answers


  1. To connect Azure function App with Storage account using Managed Identity:

    • Enable Managed Identity(System-Assigned or User-assigned)
    • Assign Storage Blob data Contributor role and Storage Blob data Owner role to the function App in the Storage Account=>Access Control(IAM)=>Add Role Assignment:

    enter image description here

    • Change the application setting AzureWebJobsStorage to AzureWebJobsStorage__accountname. with storage account name as its value.

    I have followed the above-mentioned steps and able to connect the Function App with Storage Account.

    enter image description here

    References:

    Use managed identity instead of AzureWebJobsStorage to connect a function app to a storage account

    Login or Signup to reply.
  2. I hope this will help you. For me it works good.

    resource "azurerm_windows_function_app" "this" {
    
    .....................
    
      storage_uses_managed_identity = true
      storage_account_name          = var.storage_account_name
    
      identity {
        type = "SystemAssigned"
      }
    
      app_settings = {
    
        "WEBSITE_CONTENTSHARE"                     = var.storage_account_file_share_name
        "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING" = var.storage_account_connection_string
        "FUNCTIONS_EXTENSION_VERSION"              = var.functions_extension_version
        "FUNCTIONS_WORKER_RUNTIME"                 = var.functions_worker_runtime
      }
    
    }
    
    And don't forget to create the role assignment resource.
    
    resource "azurerm_role_assignment" "this" {
      scope                = var.storage_account_id
      role_definition_name = "Storage Blob Data Contributor"
      principal_id         = azurerm_windows_function_app.this.identity[0].principal_id
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search