Logic App access to Hosting Storage account using Managed Identity

Vignesh Sukumar 26 Microsoft Employee

Hi Team ,

Wanted to check if the Managed identity support is available in Logic App Standard (in ASE), to access the hosting storage account.

Current Configuration in Environment Variable is with AzureWebJobsStorage

When we try to replace with below three params

AzureWebJobsStorage__accountName , AzureWebJobsStorage__clientId, AzureWebJobsStorage__credential

Getting an error: Microsoft.WindowsAzure.Storage: Value cannot be null. (Parameter 'connectionString').

Please suggest if am missing anything.

PS: Both Logic app and storage account are in VNet and was able to access via direct connection string.

Nikolay Hristozov 1

I`m having the same issue, and as far as I was able to test, nothing works. In the article provided from (I went trough it couple of times, before I found that thread here) there is info how to prepare the prerequisite, but this setup is not working with Standard logic apps, although the backend is more like function app, it obviously is not the same. I`ve tried the AzureWebJobsStorage__accountName but the "Microsoft.WindowsAzure.Storage: Value cannot be null. (Parameter 'connectionString')." error appears with every type of managed identity authentication configuration. The MI does have all the needed permissions (even more) but the runtime is not even starting with this setup and you cannot add any kind of workflows to test it. Switching back to access keys and restarting the app is doing the job, but we are not using access on storage accounts, hence I cannot use it without RBAC and MI authentication. If someone made it work somehow, please let me know, it would be great.

Huihui Wu 0 Reputation points Microsoft Employee

2024-06-17T08:09:09.6+00:00

Having the same issue.

1 answer

Deepanshukatara-6769 7,435 Reputation points

2024-05-08T13:48:45.49+00:00
Hi Vignesh,

Yes support is there , please check this https://learn.microsoft.com/en-us/azure/logic-apps/authenticate-with-managed-identity?tabs=consumption

Using Managed Identity to access the storage account from a Logic App Standard running in an App Service Environment (ASE). Managed Identity allows Azure services to authenticate securely without needing explicit credentials like connection strings.

Here are a few things to consider and troubleshoot:

Managed Identity Setup: Ensure that Managed Identity is properly configured for the Logic App Standard instance within the App Service Environment. You can check this in the Azure portal by navigating to the Logic App's settings and then the Identity section.

Access Control: Confirm that the Managed Identity has the necessary permissions (e.g., Blob Data Contributor) on the storage account. You can set this up in the Access Control (IAM) section of the storage account.

3. Environment Variables: When using Managed Identity, you generally don't need to specify connection string parameters such as accountName, clientId, and credential in the environment variables. Instead, you should use the AzureWebJobsStorage and give the value of storage account name it will connect and can be accessed directly

Kindly accept answer if it helps , Thankyou!
Please sign in to rate this answer.
Deepanshukatara-6769 7,435 Reputation points

2024-05-09T07:05:51.33+00:00

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Deepanshukatara-6769 7,435 Reputation points

2024-05-09T07:06:12.22+00:00

Please update

Vignesh Sukumar 26 Reputation points Microsoft Employee

2024-05-09T11:02:16.25+00:00

Thanks much for the response.

In specific to User-Managed Identity, is there any documentation that can help

Deepanshukatara-6769 7,435 Reputation points

2024-05-09T11:04:49.7133333+00:00

yes Vignesh please check this https://learn.microsoft.com/en-us/azure/logic-apps/authenticate-with-managed-identity?tabs=consumption.

Please accept answer if it helps , Thanks!

Deepanshukatara-6769 7,435 Reputation points

2024-05-13T06:53:51.73+00:00

Can you please update and accept here please , Thanks!

Vignesh Sukumar 26 Reputation points Microsoft Employee

2024-05-16T10:31:19.6933333+00:00

Thanks for the response, but the app setting based access to Hosting Storage account is not defined in specific to User Managed Identity.

In the First link shared is relevant: it uses System Managed Identity, we need to know how this can be addressed with user managed identity

Deepanshukatara-6769 7,435 Reputation points

2024-05-16T15:21:59.5733333+00:00

Ok Vignesh but if you can please check that first link again , you will see an option to do using user managed identity as well, please check image for ref so ju

so just need to add the user managed identity here and then assigned that UMI in to the IAM of Storage account .

Please let me know if you have any further questions

Deepanshukatara-6769 7,435 Reputation points

2024-05-18T05:51:51.7566667+00:00

@vignesh , can you please update here once , Thanks!

Deepanshukatara-6769 7,435 Reputation points

2024-05-20T04:52:05.7433333+00:00

Can you please update so we consider it is closed , Thanks!

Deepanshukatara-6769 7,435 Reputation points

2024-05-21T08:13:22.5066667+00:00

Vignesh , are we good to close this one, Thanks!

Deepanshukatara-6769 7,435 Reputation points

2024-05-22T05:14:08.72+00:00

Gentle reminder 3 , Vignesh request you to please update here , Thanks

Aninda Basu 0 Reputation points Microsoft Employee

2024-05-23T10:23:38.1266667+00:00

Hello Deepanshu, I can see this fix works for Function App to Hosting Storage, but is not working for Logic App to Hosting Storage. It throws:: "

Value cannot be null. (Parameter 'connectionString')

"

Deepanshukatara-6769 7,435 Reputation points

2024-05-23T17:37:25.0433333+00:00

Yes Aninda Unfortunately, Azure Logic Apps Standard does not yet support the same environment variable configuration (AzureWebJobsStorage__accountName, AzureWebJobsStorage__clientId, AzureWebJobsStorage__credential) that Azure Functions does for accessing storage using Managed Identity.

but we canhave ample configuration for using Managed Identity in a Logic App to access a blob from Azure Storage:

{ "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "actions": { "GetBlobContent": { "inputs": { "host": { "connection": { "name": "@parameters('$connections')['azureblob']['connectionId']" } }, "method": "get", "path": "/v2/datasets/@{encodeURIComponent(encodeURIComponent('<your-container-name>'))}/tables/@{encodeURIComponent(encodeURIComponent('<your-blob-name>'))}/content", "authentication": { "type": "ManagedServiceIdentity" } }, "runAfter": {}, "type": "ApiConnection" } }, "outputs": {}, "triggers": { "manual": { "inputs": {}, "kind": "Http", "type": "Request" } } }, "parameters": { "$connections": { "defaultValue": {}, "type": "Object" } }, "connectionReferences": { "azureblob": { "api": { "id": "/subscriptions/<Azure-subscription-ID>/providers/Microsoft.Web/locations/<Azure-region>/managedApis/azureblob" }, "authentication": { "type": "ManagedServiceIdentity" }, "connectionName": "<connector-name>", "connectionRuntimeUrl": "<connection-runtime-URL>" } } }
Sign in to comment

Share via

Logic App access to Hosting Storage account using Managed Identity

1 answer