Azure App Configuration Managed Identity failing when called from Azure Function

Question

I'm following Use managed identities to access app configuration. For step 5 i've assigned my function FilterFunction as havingthe App Configuration Data Reader role:

The code for my function on startup is the following:

        var appConfigEndpoint = Environment.GetEnvironmentVariable("Endpoint");
        var environment = Environment.GetEnvironmentVariable("Environment");
        var sentinelValue = Environment.GetEnvironmentVariable("ConfigSentinelKey");

        builder.ConfigurationBuilder.AddAzureAppConfiguration(options =>
        {
            // Load the configuration using labels
            options.Connect(new Uri(appConfigEndpoint), new ManagedIdentityCredential())
                .ConfigureRefresh(refreshoptions => refreshoptions.Register(
                    key: sentinelValue,
                    label: environment,
                    true))
                .Select(KeyFilter.Any, environment);
        });

However when i publish my function to Azure i see the following error:

Why am i getting this error?

Answer 1

Once a role is assigned to grant access to Azure App Configuration. It may take up to ~15 minutes to propagate. During this time, the error message you provided will be observed.

This is especially true if the identity is first used to make a request without having the role assignment (resulting in 403) and then the role is added afterward.