Share via

How to disable access key connection in Function App

Yi Zhan 0 Reputation points Microsoft Employee
2024-08-16T05:26:07.5466667+00:00

Recently I want to disable access key connection AzureWebJobsStorage in Function App and use Managed Identity instead. I check the possible solution by changing it to AzureWebJobsStorage__accountname in environment variable. Also, I change the connection info in the Json.

{
  "bindings": [
    {
      "name": "inputBlob",
      "type": "blobTrigger",
      "direction": "in",
      "path": "mailsend/{name}",
      "connection": "AzureWebJobsStorage__accountname"
    }
  ],
  "scriptFile": "../dist/SendMail/index.js",
  "disabled": false
}

However, the sendmail Function still fails when triggering. Is there any further change I need on my code to meet the new connection info of AzureWebJobsStorage__accountname?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,069 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,916 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 4,535 Reputation points Microsoft Employee
    2024-08-16T19:30:56.7566667+00:00

    Hello @Yi Zhan

    To use Managed Identity, you need to grant the necessary permissions to the identity and then update your code to use the identity to access the storage account.

    To grant the necessary permissions to the identity, you need to assign the "Storage Blob Data Contributor" role to the identity on the storage account. You can do this by following these steps:

    1. In the Azure portal, navigate to your storage account.
    2. Click on "Access control (IAM)" in the left-hand menu.
    3. Click on the "+ Add" button and select "Add role assignment".
    4. In the "Add role assignment" blade, select "Storage Blob Data Contributor" as the role.
    5. In the "Assign access to" section, select "User, group, or service principal".
    6. In the "Select" field, search for and select the name of your function app.
    7. Click on the "Save" button to assign the role to the identity. Once you have assigned the role to the identity, you can update your code to use the identity to access the storage account. You can do this by using the DefaultAzureCredential class from the @azure/identity package to authenticate with the identity and then passing the resulting TokenCredential object to the BlobServiceClient constructor.

    Here is an example of how you can update your code to use Managed Identity: 

    const { BlobServiceClient } = require("@azure/storage-blob"); 
const { DefaultAzureCredential } = require("@azure/identity"); 
module.exports = async function (context, myBlob) 
{ 
	const accountName = process.env["AzureWebJobsStorage__accountname"]; 
	const containerName = "mycontainer"; 
	const blobName = "myblob"; 
	const credential = new DefaultAzureCredential(); 
	const blobServiceClient = new BlobServiceClient( 		`https://${accountName}.blob.core.windows.net`, credential ); 
	const containerClient = blobServiceClient.getContainerClient(containerName); 
	const blockBlobClient = containerClient.getBlockBlobClient(blobName); 
	await blockBlobClient.upload(myBlob, myBlob.length);
};

    In this example, we are using the DefaultAzureCredential class to authenticate with the identity and then passing the resulting TokenCredential object to the BlobServiceClient constructor.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.