Managed Identity w/Azure Functions and Storage accounts

Question

What is the appropriate way to use managed identity with Azure Functions and Storage accounts if the the AzureWebJobsStorage app setting is required by the function host? Is there a managed identity version of the storage account connection string that doesn't include the access key?

Answer 1

It is now possible to configure a function app to authenticate with its storage account via managed identity.

Full details are available here

In summary, in the app settings for the function app:

• delete setting for "AzureWebJobsStorage"
• create a new app setting named "AzureWebJobsStorage__accountName"
• the value of the new setting should be the name of the storage account

Ensure the function app has "Storage Blob Data Owner" role over the storage account. If the function app uses the storage account's queue (e.g. queue binding) then it will also need "Storage Queue Data Contributor" role.