How to deploy Python Azure Function with Shared Keys disabled

Question

I am attempting to deploy a Python function to an Azure Function App but with "Allow storage account key access" set to "Disabled" on the storage account associated with the function.

The function deploys and works fine prior to disabling this option.

I have followed these steps

• Enabled a system-assigned Identity for the function (also tried user assigned)
• Granted the Storage Blob Data Owner role on the storage account to that identity (I have also tried other roles mentioned elsewhere such as Storage Blob Data Contributor)
• Changed the AzureWebJobsStorage application setting on the function to AzureWebJobsStorage__accountName with the value set to the name of the storage account.

When I try to deploy from Visual Studio Code or via GitHub Actions, it fails

Sample error from Visual Studio:

9:18:52 PM dev-mysimplefunction: Creating placeholder blob for linux consumption function app...
9:18:52 PM dev-mysimplefunction: Malformed SCM_RUN_FROM_PACKAGE when uploading built content.
9:18:52 PM dev-mysimplefunction: Generating summary of Oryx build
9:18:52 PM dev-mysimplefunction: Deployment Log file does not exist in /tmp/oryx-build.log
9:18:52 PM dev-mysimplefunction: The logfile at /tmp/oryx-build.log is empty. Unable to fetch the summary of build
9:18:53 PM dev-mysimplefunction: Deployment Failed. deployer = ms-azuretools-vscode deploymentPath = Functions App ZipDeploy. Extract zip. Remote build.
9:19:00 PM dev-mysimplefunction: Deployment failed.

GitHub Actions:

AzureWebJobsStorage does not exist in app settings (from Kudu SCM site with publish-profile credential). Please ensure the AzureWebJobsStorage app setting is configured as it is critical for function runtime. For more information, please visit the function app settings reference page: https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings#azurewebjobsstorage

Based on the response to the earlier question here, it appears that the Remote Build does not work with Managed Identity.

I have followed the instructions on the reply:

• Zip the Python app locally
• Upload the zip file to a container in the storage account
• Copy the link to the uploaded zip, and adding the WEBSITE_RUN_FROM_PACKAGE to the function Application Settings, using the zip file URL as the value

The folder structure of the zip file is

.venv\
.vscode\

HttpTrigger1\
.funcignore
.gitignore
host.json
requirements.txt

This works when there are no imported Python libraries (i.e. pandas, requests, NumPy) but as soon as I add an import, the function will no longer work. The log files show ModuleNotFoundError such as "No module named 'pandas' "

So the zip deployment appears to prevent the function from installing the required packages, is there a way to get around this?

Thanks in advance for any help with this issue

Answer 1

Hello @Matthew Wainwright !

Can you please change to Service Principal Authentication and :

Go to Azure AD

App Registrations

Find the SP , go to API Permissions

Add the Appication Permissions of -Storage , user_impersonation

That solved any authentication problems i had with Azure Functions and Storage Account Access

This was my issue https://learn.microsoft.com/en-us/answers/questions/1186606/azure-functions-cannot-authenticate-to-storage-acc

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards