Azure function unable to install azure-identity dependencies

Richard Haigh 40 Reputation points

I am attempting to install and azure function using the WEBSITE_RUN_FROM_PACKAGE = <STORAGE_BLOB_URL> approach with a python runtime and linux os to a dedicated subnet so as to eliminate public internet traffic.

the specific required installs are:

import logging

import os

import azure.functions as func

from azure.identity import DefaultAzureCredential, CredentialUnavailableError

from azure.keyvault.secrets import SecretClient

from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError

Prior to uploading the function folder in zip format, I isolated the function folder through a virtual environment and install the complete requirements.txt:





without error. A subsequent func start confirms this allows local deploy. I use a freeze command to isolate the versions and update my requirements.txt. I then install all of these dependencies and packages locally.

My own python runtime is also 3.10 x64bit.

These are uploaded locally with the --upgrade flag specified.

pip install --target="./.python_packages/lib/site-packages" --upgrade -r requirements.txt

I then upload to blob storage and create the function app in a dedicated subnet with a Microsoft.Storage endpoint.

Despite this, looking at the function monitoring output, the error seems to show that it is still unable to resolve dependencies:

Result: Failure Exception: ImportError: cannot import name 'x509' from 'cryptography.hazmat.bindings._rust' (unknown location). Please check the requirements.txt file for the missing module. For more info, please refer the troubleshooting guide: Stack: File "/azure-functions-host/workers/python/3.10/LINUX/X64/azure_functions_worker/", line 387, in _handle__function_load_request func = loader.load_function( File "/azure-functions-host/workers/python/3.10/LINUX/X64/azure_functions_worker/utils/", line 48, in call raise extend_exception_message(e, message) File "/azure-functions-host/workers/python/3.10/LINUX/X64/azure_functions_worker/utils/", line 44, in call return func(*args, **kwargs) File "/azure-functions-host/workers/python/3.10/LINUX/X64/azure_functions_worker/", line 194, in load_function mod = importlib.import_module(fullmodname) File "/usr/local/lib/python3.10/importlib/", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 1050, in _gcd_import File "<frozen importlib._bootstrap>", line 1027, in _find_and_load File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 688, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 883, in exec_module File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed File "/home/site/wwwroot/function_folder/", line 4, in <module> from azure.identity import DefaultAzureCredential, CredentialUnavailableError File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/", line 10, in <module> from ._credentials import ( File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/_credentials/", line 5, in <module> from .authorization_code import AuthorizationCodeCredential File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/_credentials/", line 9, in <module> from .._internal.aad_client import AadClient File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/_internal/", line 5, in <module> from .aad_client import AadClient File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/_internal/", line 11, in <module> from .aad_client_base import AadClientBase File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/_internal/", line 20, in <module> from .aadclient_certificate import AadClientCertificate File "/home/site/wwwroot/.python_packages/lib/site-packages/azure/identity/_internal/", line 7, in <module> from cryptography import x509 File "/home/site/wwwroot/.python_packages/lib/site-packages/cryptography/x509/", line 7, in <module> from cryptography.x509 import certificate_transparency File "/home/site/wwwroot/.python_packages/lib/site-packages/cryptography/x509/", line 11, in <module> from cryptography.hazmat.bindings._rust import x509 as rust_x509

My question is, is this a x509' from 'cryptography.hazmat.bindings._rust dependency specific error that others have encountered and resolved or is there a different approach that must be taken when deploying a function to an azure function app, contrary to documentation? I have downloaded the compressed folder ploaded to blob storage and everything is in the correct location. The host.json is valid and recognised. The python_packages folder is correctly uploaded and I can see the x509 package present.

Note that the specific error message is:

Result: Failure Exception: ImportError: cannot import name 'x509' from 'cryptography.hazmat.bindings._rust'

Additional application settings have been configured to facilitate a python runtime:




note that as VNet integration is required, this is on a service plan of Basic, rather than consumption. Python runtime and Linux OS using function runtime 4.~

I have tried literally moving to the wwwroot directory in kudu ssh and installing the cryptography package and the error remains unchanged.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
3,677 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. MikeUrnun 8,326 Reputation points

    Hello @Richard Haigh - Thanks for creating a well-formatted post, and reaching out to us on MS Q&A.

    When installing the dependencies locally prior to zipping up the deployment package, what is the Operating System you're running on? It's possible that the installed dependencies may be incompatible with the Linux OS which has been the case with other customers who hit the particular error message in the past.

    Also, I notice that you have the Remote Build settings set to true but you probably don't need them since you're opting to build locally first, and serving the app with the WEBSITE_RUN_FROM_PACKAGE = <STORAGE_BLOB_URL> setting on Azure.

    In addition, getting Python dependencies installed correctly can be quite tricky so the following resources may be of help:

    Please "Accept Answer" if the answer is helpful so that others in the community may benefit from your experience.

  2. Richard Haigh 40 Reputation points


    I found the solution. The issue was the use of a deprecated terraform resource. Since the Terraform split of replacing a the azurerm_function_app with a windows and linux version, the need is now to specify a linux app resource using the build on deployment setting.

    Note that the WEBSITE_RUN_FROM_PACKAGE in this particular scenario needs to be removed and you instead use build during deployment with the zip_deploy_file argument for success. Complete code in case anyone faces a similar issue:

    resource "azurerm_linux_function_app" "function" {
      name                        = var.app_name
      resource_group_name         =
      location                    = data.azurerm_resource_group.arc_resource_group.location
      service_plan_id             =
      storage_account_name        = var.storage_account_name
      storage_account_access_key  = var.storage_account_access_key
      https_only                  = var.https_only
      functions_extension_version = var.functions_extension_version
      app_settings = {
        "ENABLE_ORYX_BUILD"              = var.enable_oryx_build
        "SCM_DO_BUILD_DURING_DEPLOYMENT" = var.scm_do_build_during_deployment
        "FUNCTIONS_WORKER_RUNTIME"       = "python"
        "AzureWebJobsFeatureFlags"       = "EnableWorkerIndexing"
        "APPINSIGHTS_INSTRUMENTATIONKEY" = azurerm_application_insights.arc_function_insights.instrumentation_key
        "KEY_VAULT_URL" = var.key_vault_name
      site_config {
        application_stack {
          python_version = var.python_version
        always_on = var.always_on
      identity {
        type = "SystemAssigned"
      zip_deploy_file = data.archive_file.function_code.output_path
      depends_on = [data.archive_file.function_code]