I can’t seem to find clear documentation on how to set an (System-assigned Managed) Identity-based connection for my Queue-triggered Azure Function.

Steps taken:

1. Enabled System-assigned Managed Identity (SAMI) for the Azure Function
2. On the Queue Storage Account, granted the SAMI Storage Queue Data Reader and Storage Queue Data Message Processor Roles per this doc.
3. Ensured the Extension Version is 5.0.0 or later

"extensionBundle": {
    "id": "Microsoft.Azure.Functions.ExtensionBundle",
    "version": "[4.*, 5.0.0)"
  }

4. Added a connection value to the Function’s function.json file:

{
  "scriptFile": "__init__.py",
  "bindings": [
    {
      "name": "msg",
      "type": "queueTrigger",
      "direction": "in",
      "queueName": "my-q",
      "connection": "QUEUE_CONN"
    }
  ]
}

5. Added a QUEUE_CONN__queueServiceUri app setting to the Function’s local.settings.json file per this SO question, which references this doc.

{
  "IsEncrypted": false,
  "Values": {
    "FUNCTIONS_WORKER_RUNTIME": "python",
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "QUEUE_CONN__queueServiceUri": "https://<my-q-storage>.queue.core.windows.net"
  }
}

• After func azure functionapp publish <my-function> --publish-local-settings, and writing the appropriate setting to Azure…the function will not trigger when adding a new queue.

6. I also tried adding QUEUE_CONN__managedIdentityResourceId per this (contradicting?) doc. But this didn’t seem to trigger the Function upon adding a queue.

I’d really like to get away from dealing with a Key Vault secret when all other connections within the function rely on SAMI auth.

Any ideas?