Azure Function App access to its own storage account with Shared Key Authentication disabled

Question

In my organization I have a requirement to set "Allow storage account key access" on a storage account to Disabled, such that Primary and Secondary Access keys cannot be used to connect to the storage account:

When I create a simple Consumption based .NET 3.1 Function App in Azure Portal and create a sample Queue Triggered function directly in the Portal, my Function App cannot access anything on its own storage account when I have this "Allow storage account key access" set to Disabled.

I can understand that it cannot access its own binary files which are stored in the storage account's fileshare. I have created a Managed Identity for my Function App and assigned it all these RBAC roles on its own storage account:

Why can't the Function App not read its own files when I have given all these permissions?

My Configuration uses this syntax AzureWebJobsStorage__accountName:

Application Insights is also not available:

If I set "Allow storage account key access" to Enabled then everything works:

So how do I go about this simple scenario of having to fulfil the requirement to have "Allow storage account key access" set to Disabled and use a .NET Consumption based Function App?

UPDATE: I've now created a .NET 6 Isolated C# Function and deployed the code to a new FunctionApp with .NET 6 support and used the notation "AzureWebJobsStorage__accountName" in my Configuration and it still doesn't work for me.

UPDATE2: I have managed to get it to work. The trick was to use Microsoft.Azure.WebJobs.Extensions.Storage.Queues version 5.x+ as this supports AAD Authentication: Microsoft.Azure.WebJobs.Extensions.Storage.Queues You cannot use the Developer Portal under Functions in Function App to test this out. You need to test it out in code.

Answer 1

For an Azure Function to read from a Storage Account and its Queue, you need to provide the Storage Queue Data Contributor role on the Storage Account for the Azure Function's Managed Identity.

In order to use Managed Identity and thus AAD Authentication the Azure Function code needs to use version 5.x+ of this package: Microsoft.Azure.WebJobs.Extensions.Storage.Queues

The .NET 6 Isolated Azure Function that is Queue Triggered looks like this:

 public class Function1
 {
    private readonly ILogger _logger;

    public Function1(ILoggerFactory loggerFactory)
    {
        _logger = loggerFactory.CreateLogger<Function1>();
    }

    [Function("Function1")]
    public void Run([QueueTrigger("myqueue01")] string myQueueItem)
    {
        _logger.LogInformation($"C# Queue trigger function processed: {myQueueItem}");
    }
 }

and the local.settings.json looks like this:

{
  "IsEncrypted": false,
  "Values": {
     "AzureWebJobsStorage__accountName": "<storage-account-name-here>",
     "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated"
  }
}

and when it is Published to an Azure Function App you can just have this configuration: AzureWebJobsStorage__accountName