Using zipdeploy without storage account key access

Walter Vos 10 Reputation points

I'm currently working on migrating all my storage accounts and related resources to allow identity based access only. I'm running into problems doing this for my function app's main storage account. I'll share some details about my current (pre-migration) setup first:

  • Running in an App Service Environment, on a dedicated plan
  • OS: Linux; Language: Python 3.9
  • Identity: User assigned managed identity only; with roles:
    • Storage Blob Data Owner
    • Storage Queue Data Contributor
    • Storage Table Data Contributor
  • App settings
    • AzureWebJobsStorage = "DefaultEndpointsProtocol=https://...."
    • WEBSITE_CONTENTAZUREFILECONNECTIONSTRING = "DefaultEndpointsProtocol=https://...."
  • Deployment is done with az webapp deployment source config-zip (...) --src "".
  • Storage account
    • with hierarchical namespace enabled
    • allow traffic from selected subnets (the ASE's subnet among others); allow Azure services on the trusted services list to access this storage account
  • Infrastructure as code with terraform

From the research I've done (there aren't not a lot of concrete solutions for my case, so it seems), in order to migrate I should set up my infrastructure such that:

  • App settings WEBSITE_CONTENTAZUREFILECONNECTIONSTRING and WEBSITE_CONTENTSHARE should be deleted; AzureWebJobsStorage__accountName and __clientId should be set, and __credential should be "managedidentity"; WEBSITE_RUN_FROM_PACKAGE = "1" should stay in place.

I've tried doing this, but deployment then fails with a 503 error. This makes sense, since deployment seems to use the storage account's primary access key to upload the zip to a file share (and I'm actively disabling the use of access keys)

How do I get out from under this? I've also tried to set WEBSITE_RUN_FROM_PACKAGE to a blob URI (and upload the zip to that URI), but that just broke my whole app.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,215 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Mike Urnun 9,656 Reputation points Microsoft Employee

    Hello @Walter Vos - Thanks for reaching out & posting on the MS Q&A! I think that you're almost there with the steps you've already taken! I'd like to offer the following in addition:

    • If you're opting for manually uploading the zip package to a blob container, setting the WEBSITE_RUN_FROM_PACKAGE app setting to the Blob URI is the correct step. In addition, you'll also want to enable MSI on the Blob Storage and create the WEBSITE_RUN_FROM_PACKAGE_BLOB_MI_RESOURCE_ID app setting with its ID, the steps are documented in greater detail here: Fetch a package from Azure Blob Storage using a managed identity
    • Since you're on a Linux ASE SKU with VNET and your Function App and Storage are going to be behind separate subnets, you'll also want to take a look at the WEBSITE_CONTENTOVERVNET app setting and review the following doc: Restrict your storage account to a virtual network

    Note that the feature itself is still in preview and we do have an official doc on it which covers how there may be additional RBAC roles and configurations that need to be set depending on the varying bindings you may be using: Connecting to host storage with an identity (Preview)

    I hope the above is helpful. If you run into issues, just let me know.

    0 comments No comments