I can’t seem to find clear documentation on how to set an (System-assigned Managed) Identity-based connection for my Queue-triggered Azure Function.
Steps taken:
- Enabled System-assigned Managed Identity (SAMI) for the Azure Function
- On the Queue Storage Account, granted the SAMI
Storage Queue Data Reader
andStorage Queue Data Message Processor
Roles per this doc. - Ensured the Extension Version is
5.0.0
or later
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle",
"version": "[4.*, 5.0.0)"
}
- Added a
connection
value to the Function’sfunction.json
file:
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "msg",
"type": "queueTrigger",
"direction": "in",
"queueName": "my-q",
"connection": "QUEUE_CONN"
}
]
}
- Added a
QUEUE_CONN__queueServiceUri
app setting to the Function’slocal.settings.json
file per this SO question, which references this doc.
{
"IsEncrypted": false,
"Values": {
"FUNCTIONS_WORKER_RUNTIME": "python",
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"QUEUE_CONN__queueServiceUri": "https://<my-q-storage>.queue.core.windows.net"
}
}
- After
func azure functionapp publish <my-function> --publish-local-settings
, and writing the appropriate setting to Azure…the function will not trigger when adding a new queue.
- I also tried adding
QUEUE_CONN__managedIdentityResourceId
per this (contradicting?) doc. But this didn’t seem to trigger the Function upon adding a queue.
I’d really like to get away from dealing with a Key Vault secret when all other connections within the function rely on SAMI auth.
Any ideas?