What is the appropriate way to use managed identity with Azure Functions and Storage accounts if the the AzureWebJobsStorage app setting is required by the function host? Is there a managed identity version of the storage account connection string that doesn't include the access key?
It is now possible to configure a function app to authenticate with its storage account via managed identity.
Full details are available here
In summary, in the app settings for the function app:
Ensure the function app has "Storage Blob Data Owner" role over the storage account. If the function app uses the storage account's queue (e.g. queue binding) then it will also need "Storage Queue Data Contributor" role.