Configuring Azure Blob Trigger Identity Based Connection
So want to connect your blob triggered function to a storage account, but you don’t want to put your connection string or secrets into the configuration? Andrew Redman explores how to do it in this blog post.
What’s the problem?
You want to connect your blob triggered function to a storage account, but you don’t want to put your connection string or secrets into the configuration. Prior to Azure Blobs extension 5.0.0, this was your only option, but not anymore. With these later versions you can now connect to your storage account using a managed identity. Here are the simple steps involved to make this happen.
We have the following resources that we are using to demonstrate this setup.
- Azure Function, v4 with a managed identity. You will just need to make sure you are using Azure Blobs extension version 5.0.0 or later. You can install this extension using NuGet tools (Visual Studio) or the .NET Core CLI (Visual Studio Code) for C#, if you are using a Non-.NET language the extension bundles are recommended. You will need at least Bundle version 3.x which contains the 5.x versions of the extensions. You can see which extensions are in Bundle version 3.x from the extensions file.
- Storage Account with a container
- In our example we will be using a different storage account than the one that is created with our function by default. That one is usually denoted as the ‘AzureWebJobsStorage’ account in the configuration. As a side note, you can also connect to that storage account using a Managed Identity. You can find the documentation for that here as well as a blog on that specific subject here.
Azure Function App
You will need to make sure you have a function app created that you can use. How it is created does not matter; however, you do need to ensure a few of the settings are appropriately configured. First is you need to ensure the system assigned managed identity is enabled. You will also need to update the storage account connection name to match the connection name in your trigger.
Please see the Step-by-Step below to see this in action, but the convention for this setting is ‘<CONNECTION_NAME>__serviceUri’. If this is a new function, then you can add the new setting using the CONNECTION_NAME you have configured in your code, but if it is an existing function that is using a connection string, you will want to replace it with this new setting. If you want to dig deeper into the details, check out the full document on setting up identity-based connections for Azure Blog storage triggers.