How to disable storage Account Key Access and Using System-Assigned Managed Identity to default created storage account of Azure Function app

Kumar, Anand 0 Reputation points
2024-07-01T09:13:12.7033333+00:00

I have an Azure Function App with an associated storage account, automatically created when the Function App was set up. This storage account contains azure-webjobs-hosts, azure-webjobs-secrets, and a file in file shares. Currently, the Function App uses the storage account via account keys. I want to disable SAS key access and switch to using a System-Assigned Managed Identity. I followed the steps in the Microsoft documentation as below link for setting up System-Assigned Managed Identity but was unsuccessful.

https://learn.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial#grant-the-system-assigned-identity-access-to-the-storage-account

Any suggestions how to do that?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,606 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,896 questions
Azure Managed Applications
Azure Managed Applications
An Azure service that enables managed service providers, independent software vendors, and enterprise IT teams to deliver turnkey solutions through the Azure Marketplace or service catalog.
121 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Amrinder Singh 4,270 Reputation points Microsoft Employee
    2024-07-01T09:52:27.27+00:00

    Hi Kumar, Anand - Thanks for reaching out.

    Can you please share what is error / exception message, that you received post configuration. This might help in further investigation/troubleshooting or deciding the next action plan.


  2. Kumar, Anand 0 Reputation points
    2024-07-01T14:33:45.94+00:00

    I found the following error messages under Function App -> Diagnose and Solve Problems:

    System.UnauthorizedAccessException A host error has occurred during startup operation 'e4****f7'. Access to the path 'C:\home\site\wwwroot' is denied.

    System.ComponentModel.Win32Exception
    Failed to start Worker Channel. Process fileName: C:\Program Files (x86)\SiteExtensions\Functions\4.34.2\workers\dotnet-isolated/bin/FunctionsNetHost.exe An error occurred trying to start process 'C:\Program Files (x86)\SiteExtensions\Functions\4.34.2\workers\dotnet-isolated/bin/FunctionsNetHost.exe' with working directory 'C:\home\site\wwwroot'. The directory name is invalid.

    Removing errored webhost language worker channel for runtime: do
    Removing errored webhost language worker channel for runtime: dotnet-isolated workerId:b25***38 System.AggregateException : One or more errors occurred. (An error occurred trying to start process 'C:\Program Files (x86)\SiteExtensions\Functions\4.34.2\workers\dotnet-isolated/bin/FunctionsNetHost.exe' with working directory 'C:\home\site\wwwroot'. The directory name is invalid.) ---> An error occurred trying to start process 'C:\Program Files (x86)\SiteExtensions\Functions\4.34.2\workers\dotnet-isolated/bin/FunctionsNetHost.exe' with working directory 'C:\home\site\wwwroot'. The directory name is invalid.

    Function app: Function host is not running.

    0 comments No comments