Share via

Can function app access Azure storage accounts via managed identity in sovereign clouds.

Anurag Anand 20 Reputation points Microsoft Employee
2024-09-13T07:09:41.5333333+00:00

I am trying to disable shared key-based access on my storage account. This storage account is accessed by Azure function app to fetch data via key based access. I want to authenticate functions app via managed identity instead and for that I followed this document: https://learn.microsoft.com/en-us/azure/azure-functions/functions-reference?tabs=blob&pivots=programming-language-csharp#connecting-to-host-storage-with-an-identity

The above solution seems to work in PROD but does not work in Sovereign cloud (Mooncake and Fairfax). There is a paragraph that explains this:
User's image

Can someone please share steps to configure function apps to access storage accounts via managed identity in Sovereign cloud as our service also exists in FairFax and Mooncake.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,110 questions
0 comments
Accepted answer
  1. Pinaki Ghatak 4,610 Reputation points Microsoft Employee
    2024-09-16T18:36:44.45+00:00

    Hello @Anurag Anand

    Yes, Azure Functions can access Azure Storage accounts via managed identity in sovereign clouds. However, the steps to configure this may differ slightly from the steps in the document you mentioned, depending on the specific sovereign cloud you are using.

    Here are the general steps to configure a function app to access a storage account via managed identity in any sovereign cloud:

    1. Enable a managed identity for your function app. You can do this by following the instructions in the Azure documentation.
    2. Assign the managed identity the necessary permissions to access the storage account. You can do this by following the instructions in the Azure documentation.
    3. In your function app, remove any connection strings or secrets related to the storage account.
    4. Add the following environment variables to your function app's configuration:
    • AzureWebJobsStorage__blobServiceUri: The URI of the blob service endpoint for your storage account.
    • AzureWebJobsStorage__queueServiceUri: The URI of the queue service endpoint for your storage account.
    • AzureWebJobsStorage__tableServiceUri: The URI of the table service endpoint for your storage account.

    For example, if your storage account name is mystorageaccount and you are using the Mooncake sovereign cloud, the environment variables would be:

    • AzureWebJobsStorage__blobServiceUri: [https://mystorageaccount.blob.core.chinacloudapi.cn/]() 
    • AzureWebJobsStorage__queueServiceUri: [https://mystorageaccount.queue.core.chinacloudapi.cn/]() 
    • AzureWebJobsStorage__tableServiceUri: [https://mystorageaccount.table.core.chinacloudapi.cn/]() 

    Note that the endpoints for each sovereign cloud may differ slightly, so be sure to use the correct endpoints for your cloud. This should get you started.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.