Search code examples
azure-functionsazure-storageazure-blob-storageazure-function-appsas-token

How to use SAS connection string from storage account in Azure function application setting

I can run function app by using connection string from access key from storage account and putting it into function application setting

Function application setting

However, if I generate SAS and connection string from Shared access signature menu in storage account and use that connection string in my function app setting, I can' get function running.

Here is my SAS connection string: BlobEndpoint=https://StorageAccountName.blob.core.windows.net/;QueueEndpoint=https://StorageAccountName.queue.core.windows.net/;FileEndpoint=https://StorageAccountName.file.core.windows.net/;TableEndpoint=https://StorageAccountName.table.core.windows.net/;SharedAccessSignature=sv=2019-10-10&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-06-10T11:28:43Z&st=2020-06-10T03:28:43Z&spr=https,http&sig={signature}

Function Json

{
  "generatedBy": "Microsoft.NET.Sdk.Functions-3.0.1",
  "configurationSource": "attributes",
  "bindings": [
    {
      "type": "blobTrigger",
      "connection": "StorageAccountName",
      "path": "containerName/{name}",
      "name": "myBlob"
    }
  ],
  "disabled": false,
  "scriptFile": "../bin/FunctionDemoBlobTrigger.dll",
  "entryPoint": "BlobTriggerFunctionName.BlobTrigger.Run"
}

Hitting function URL gives 'Function host is not running' error.

Running function app in test mode gives 'Status: 500 Internal Server Error' error.

Update After encoding SharedAccessSignature portion of the connection string, I am getting error enter image description here

Solution

  • I don't think it was supported to use the SAS connection string in AzureWebJobsStorage.

    From the doc, here and here, always use the storage account key in AzureWebJobsStorage.

    And if you try to create a new blob trigger in the portal, you will find only the app setting which meets the format as DefaultEndpointsProtocol=https;AccountName=[name];AccountKey=[key] will be found, any other value will appear unavailable. For the exisitng one, if you change the app setting, you will get the 500 error.

    enter image description here

    So if in your case, you don't want to use the accout key because of the security issue, there is a good workaround is to use the Azure keyvault.

    Store the account key as a secret in the keyvault, enable the system-assigned identity of the function app(user-assigned identity is not supported currently, the function app can have both of them at one time), add it to the access policy of the keyvault, then specify the app setting like @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931).

    After the configuration, it will be like below.

    enter image description here

    For more details, see Reference - Use Key Vault references for App Service and Azure Functions