Setting a storage account's "Allow storage account key access" to disabled breaks function deployments.

Question

Setting a storage account's "Allow storage account key access" to disabled breaks function deployments.

Demougin, Matthew W 0

I've been requested to disable storage account key access on a set of storage accounts. Doing so results in an inability to deploy the azure function that is connected to the storage account.

When the account is set to enable storage account key access it works.

User's image

When I switch to Disabled, it breaks:

User's image

It has the following error:

User's image

This URL leads to User's image

because disable also disconnects the storage account and function

User's image

It's hard for me to believe that this combination simply doesn't work in Azure. Any help getting this setup would be greatly appreciated.

Thanks!

1 answer

Your answer

Answer 1

Silvia Wibowo 5,441 Microsoft Employee

Hi @Demougin, Matthew W , I understand that you have a requirement to disable storage account keys. However, your Azure Functions stop working when you disable storage account keys.

By default, function apps configure the AzureWebJobsStorage connection as a connection string stored in the AzureWebJobsStorage application setting, but you can also configure AzureWebJobsStorage to use an identity-based connection without a secret.

Caution: Other components in Functions rely on AzureWebJobsStorage for default behaviors. You should not move it to an identity-based connection if you are using older versions of extensions that do not support this type of connection, including triggers and bindings for Azure Blobs, Event Hubs, and Durable Functions. Similarly, AzureWebJobsStorage is used for deployment artifacts when using server-side build in Linux Consumption, and if you enable this, you will need to deploy via an external deployment package.

In addition, your function app might be reusing AzureWebJobsStorage for other storage connections in their triggers, bindings, and/or function code. Make sure that all uses of AzureWebJobsStorage are able to use the identity-based connection format before changing this connection from a connection string.

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Syed Aaqid Ali 335 Reputation points Microsoft External Staff

2025-03-11T00:39:43.7233333+00:00

Hi Demougin, Matthew W,

I hope the answer provided by Silvia Wibowo is helpful. Kindly let me know if you have any questions.

Moreover, When Allow storage account key access is disabled, any requests to the account that are authorized with Shared Key, including shared access signatures (SAS), will be denied.

For more information see https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Demougin, Matthew W 0 Reputation points

2025-03-11T15:54:00.16+00:00

According to the guide you sent me, the only thing I should need to do to make this work is grant the roles to the function app in the storage account, and switch to the _accountName variable, both of which I've done. Any ideas on why that isn't sufficient? Is it because I'm using the hierarchical namespace as a datalake possibly?
Silvia Wibowo 5,441 Reputation points Microsoft Employee

2025-03-11T21:10:46.05+00:00
Hi @Demougin, Matthew W , please clarify:

What role(s) did you assign to Azure Function's managed identity?

Did you use system-assigned managed identity?

Did you set app settings for AzureWebJobsStorage__blobServiceUri?

As you mentioned you use HNS-enabled Azure Blob storage, did you enable Access control lists (ACLs) in Azure Data Lake Storage?

Did you try setting Common properties for identity-based connections?
Syed Aaqid Ali 335 Reputation points Microsoft External Staff

2025-03-11T22:50:04.02+00:00
Demougin, Matthew W, adding to Silvia, to access blob data in the Azure storage with Microsoft Entra credentials, a user/Identity must have the following role assignments:

A data access role, such as Storage Blob Data Reader or Storage Blob Data Contributor

The Azure Resource Manager Reader role, at a minimum

When you assign roles, it can take up to 10 minutes for changes to take effect. If you set the appropriate allow permissions to access data via Microsoft Entra ID and are unable to access the data, for example you're getting an "AuthorizationPermissionMismatch" error. Be sure to allow enough time for the permissions changes you made in Microsoft Entra ID to replicate and be sure that you don't have any deny assignments that block your access, see Understand Azure deny assignments.

For more information check Authorize access to blobs using Microsoft Entra ID and Assign an Azure role for access to blob data
Syed Aaqid Ali 335 Reputation points Microsoft External Staff

2025-03-12T21:08:23.5633333+00:00

Hello Demougin, Matthew W,

Checking to see whether you have resolved the issue with the solution provided above, or if you need any further assistance, please let us know.

Share via

Setting a storage account's "Allow storage account key access" to disabled breaks function deployments.

1 answer

Your answer