Configuring Azure blob storage with RBAC access in Azure function

Question

Configuring Azure blob storage with RBAC access in Azure function

lakshmi 816

Hi Team, We have enabled RBAC access for Cosmos and Blob storage. We have configured the blob storage and cosmos client with the service endpoint and default azure credentials in azure web app and we are able to access the cosmos data and storage tables and blob. Same configuration we have made in Azure functions. Below is the JSON file,

"AzureWebJobsStorage__blobServiceUri": "https://<account name>.blob.core.windows.net/",

Startup File:

builder.Services.AddSingleton<IStorage>(_ => new BlobsStorage(new Uri($"{Environment.GetEnvironmentVariable("AzureWebJobsStorage__blobServiceUri")}{Environment.GetEnvironmentVariable(<ContainerName>)}"), new DefaultAzureCredential(), new StorageTransferOptions(), new BlobClientOptions()));

While building the code we are getting the below error,


[2024-02-19T16:43:38.310Z] Microsoft.Azure.WebJobs.Script.WebHost: Secret initialization from Blob storage failed due to missing both an Azure Storage connection string and a SAS connection uri. For Blob Storage, please provide at least one of these. If you intend to use files for secrets, add an App Setting key 'AzureWebJobsSecretStorageType' with value 'Files'.
Value cannot be null. (Parameter 'provider')

lakshmi 816 Reputation points

2024-02-22T05:24:58.1633333+00:00

Hi Team, Can any one help on this

1 answer

Your answer

lakshmi 816 Reputation points

2024-02-22T05:24:58.1633333+00:00

Hi Team, Can any one help on this

Answer 1

Pramod Valavala 20,656 Microsoft Employee Moderator

@lakshmi In addition to your own code, the Azure Functions Runtime uses Azure Storage as well and needs to be configured appropriately as well as shown in the official docs.

I assume you are not using the Storage Binding due to the Startup Code you shared. So you could also consider using a different App Setting Name for your client and continue using the regular one for the functions runtime.

If you intend to use Managed Identity across the board, then follow the docs linked above for the functions runtime including the common set of app settings required.

lakshmi 816

@Pramod Valavala , Thanks for the reply. We are configuring the endpoint for cosmos db and storage account blob and table in local settings json

"IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage__tableServiceUri": "https://<accnt name>.table.core.windows.net/",

    "AzureWebJobsStorage__blobServiceUri": "

    "CosmosDbConnection": "https://

We are creating cosmos client and adding blob storage service to configuration, User's image

The same local setting connection name is used in cosmos db trigger for acessing the cosmos db and storage table.

[FunctionName("log-available-agents")]
        public async Task Run([CosmosDBTrigger(
            databaseName: "%CosmosDatabaseId%",
            containerName: "<cosmos db table name>",
            Connection = "CosmosDbConnection",
            LeaseContainerName = "leases",
            CreateLeaseContainerIfNotExists  = true)] IReadOnlyList<Agent> input,
            ILogger logger,
            [Table("agentLogs", Connection = "AzureWebJobsStorage__tableServiceUri")] IAsyncCollector<LogEntity> table,
            [CosmosDB(
            databaseName: "%CosmosDatabaseId%",
            containerName: "<cosmos db table name>",
            Connection = "CosmosDbConnection")]CosmosClient client)
        {
		}

lakshmi 816

@Pramod Valavala , Thanks for the reply.. We are setting the endpoints for cosmos db and storage account (blob and table) in local settings as below


  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage__tableServiceUri": "https://<storageaccount>.table.core.windows.net/",
    "AzureWebJobsStorage__blobServiceUri": "https://<storageaccount>.blob.core.windows.net/",
    "CosmosDbConnection": "https://<cosmos db account>.documents.azure.com:443/",
}

Also we are are injecting the Blob storage object to function builder and creating cosmos client with default credential. User's image

From Cosmos db trigger we have mentioned the cosmos db connection endpoint and table storage endpoint.

    [FunctionName("log-available-agents")]
    public async Task Run([CosmosDBTrigger(
        databaseName: "%CosmosDatabaseId%",
        containerName: "<comos db table name>",
        Connection = "CosmosDbConnection",
        LeaseContainerName = "leases",
        CreateLeaseContainerIfNotExists  = true)] IReadOnlyList<Agent> input,
        ILogger logger,
        [Table("agentLogs", Connection = "AzureWebJobsStorage__tableServiceUri")] IAsyncCollector<LogEntity> table,
        [CosmosDB(
        databaseName: "%CosmosDatabaseId%",
        containerName: "<comos db table name>",
        Connection = "CosmosDbConnection")]CosmosClient client)
    {

Could you please suggest how can we configure this connection in cosmos db trigger to avoid exception ' Exception type: Azure.Identity.CredentialUnavailableException'

Share via

Configuring Azure blob storage with RBAC access in Azure function

1 answer

Your answer