Share via

Building an azure function v2 (python) with a managed identity (User Defined)

jim01011 0 Reputation points
2024-04-11T12:16:48.63+00:00

I am following the following tutorial on Azure Functions https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-storage-blob-output?tabs=python-v2%2Cisolated-process%2Cnodejs-v4&pivots=programming-language-python

However when I try and use the managed identity that has been created in our AAD. I received the following error.

WARNING: Some http trigger urls cannot be displayed in the output window because they require an authentication token. Instead, you may copy them from the Azure Functions explorer.

Storage account connection string 'AzureWebJobsDefaultEndpointsProtocol=xxx does not exist. Make sure that it is a defined App Setting.

Managed identity user defined has been enabled on this blob storage.

Please can someone specify exactly the steps required to setup a managed identity user assigned with blob storage ?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,911 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,192 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 33,071 Reputation points Volunteer Moderator
    2024-11-02T14:18:24.8633333+00:00

    You need to have a user-assigned managed identity created in your Azure Active Directory and then you assign the managed identity to your AZ function :

    • Go to the Azure portal and navigate to your Function App.
    • Under Settings, select Identity.
    • Enable the User Assigned identity and select the managed identity you created.
    • Save the changes and wait for the identity to be linked.

    Then you grant the access to Azure Blob Storage :

    • Navigate to your Azure Blob Storage account.
    • Go to Access Control (IAM).
    • Click on Add role assignment.
    • Select a role like Storage Blob Data Contributor or Storage Blob Data Reader (depending on the level of access needed).
    • Assign this role to the user-assigned managed identity you added to the Function App.

    In your code you need to use the DefaultAzureCredential from azure.identity to authenticate with the managed identity:

    
   from azure.identity import DefaultAzureCredential

   from azure.storage.blob import BlobServiceClient

   # Use DefaultAzureCredential which will pick up the managed identity

   credential = DefaultAzureCredential()

   blob_service_client = BlobServiceClient(account_url="https://<your-storage-account-name>.blob.core.windows.net", credential=credential)

   # Example of creating a container client

   container_client = blob_service_client.get_container_client("<your-container-name>")

    Then you need to set up the env variables :

    • In the Azure portal, go to Configuration under the Settings section of your Function App.
    • Ensure that AzureWebJobsStorage (used for internal storage by Functions) is configured correctly.
    • For your code to access the storage with managed identity, you don’t need to set AzureWebJobsStorage with a key if your Function App isn’t dependent on it for data operations.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.