How to trigger blob function with user assigned identity

Question

I have created a blob trigger azure function which uses connection string in the code at the moment.

local.settings.json

public static class BlobTrigger_Fun
{
    [FunctionName("BlobTrigger_Fun")]
    public static void Run([BlobTrigger("democontainerazure/{name}", Connection = "AzureWebJobsStorage")]Stream myBlob, string name, ILogger log)
    {
        log.LogInformation($"C# Blob trigger function Processed blob\n Name:{name} \n Size: {myBlob.Length} Bytes");
    }
}

I want to use managed identity to avoid use of connection string in the code.

Not really but just don't want to keep connection string in the code — Sonam Mohite, Jun 08 '20 at 04:13
Don't worry about that, when you publish the function to Azure, the `local.settings.json` will not be published, it will use the `AzureWebJobsStorage` app setting of your function app -> Configuration, for the security issue, you can also store the connection string in the keyvault, and reference it in the app setting, refer to this blog https://zimmergren.net/azure-functions-key-vault-reference-azurewebjobsstorage/ Anyway, the MSI could not replace the `AzureWebJobsStorage`. — Joy Wang, Jun 08 '20 at 04:21
And if you just want to test your code in local, you can use the Storage Emulator directly with `"AzureWebJobsStorage": "UseDevelopmentStorage=true"` in `local.settings.json`, refer to https://www.eliostruyf.com/set-up-azure-storage-for-local-develop-of-timer-or-queue-triggered-azure-functions/ — Joy Wang, Jun 08 '20 at 04:37
@SonamMohite If Joy's answer helps you, please mark his answer to end this question.:) — Cindy Pau, Jun 08 '20 at 07:28

score 0 · Accepted Answer · answered Jun 08 '20 at 02:25

0

No, you can't.

The MSI(managed identity) is not for such usage, it is just used for authenticating to azure services that support Azure AD authentication, the AzureWebJobsStorage is used for azure function runtime, in the function app, the property must be specified as an app setting in the site configuration.

answered Jun 08 '20 at 02:25

Joy Wang

39,905
3
30
54

The question is, if MSI is enabled for an app and `AzureWebJobsStorage` contains a string *without* `AccountKey` part will the runtime be able to connect to the storage account? – UserControl Jul 13 '20 at 14:47

How to trigger blob function with user assigned identity

1 Answers1