Share via

How to ensure Managed Identity access from Function App to Blob Storage?

Ryan Donaghy 45 Reputation points
2024-12-12T17:37:25.4766667+00:00

Hi All,

I have been banging my head against the wall over this all day, and would like to know if anyone has come across this before.

I have a function app that is attempting to upload a file to a blob storage container.

It has a system assigned managed identity enabled, which I have added as a Storage Blob Data Contributor on the storage account.

When I run my function app, I repeatedly get the following error message: 

This request is not authorized to perform this operation. RequestId:0c107d5a-501e-0037-52b6-4cc150000000 Time:2024-12-12T16:56:25.9801860Z

Here is a snippet of my JS:


const { ManagedIdentityCredential } = require("@azure/identity");

// Use System-Assigned Managed Identity for Blob Storage

context.log("Acquiring token for Blob Storage...");

const blobCredential = new ManagedIdentityCredential();

const blobServiceClient = new BlobServiceClient(

    `https://${storageAccount}.blob.core.windows.net`,

    blobCredential

);

context.log("Creating container client...");

const containerClient = blobServiceClient.getContainerClient(containerName);

try {

    context.log("Checking container existence...");

    const exists = await containerClient.exists();

    context.log(`Container existence: ${exists}`);

    if (!exists) {

        throw new Error(`Container "${containerName}" does not exist.`);

    }

} catch (error) {

    context.log.error("Error while checking container existence:", error.message);

    context.log.error("Error Details:", JSON.stringify(error, null, 2));

    throw error;

}

Apologies for all the context logs, I have been trying to trace this issue all day.

The context log comes back as: 

Error while checking container existence: This request is not authorized to perform this operation. RequestId:f7d1fa59-901e-0028-3abb-4c7254000000 Time:2024-12-12T17:28:48.4342220Z

I have swapped out the RBAC roles, changed scopes, added 'Contributor' role to storage account, subscription, resource group etc. However, nothing seems to be working.

I also have a user-assigned managed identity, but I had the same issue with that as well.

Has anyone got any guidance?

Much appreciated!

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,256 questions
Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,003 questions
Accepted answer
  1. VenkateshDodda-MSFT 23,141 Reputation points Microsoft Employee
    2024-12-13T03:01:31.84+00:00

    @Ryan Donaghy Thanks for posting your question in Microsoft Q&A, apologize for any inconvenience caused on this.

    Based on the shared above information, I understand that you are facing some issue with RBAC roles on storage account for the blob storage account.

    Instead of adding "Storage Blob Data Contributor" and "Contributor" on storage account you need to add Storage Blob Data Owner to make your function host connect to storage via identity.

    Refer to this documentation, to know which RBAC role you need use based on the type of triggers.

    User's image

    Also, From the above discussion we understood that your function app is hosted on consumption plan and your storage account in behind the virtual network.

    As per the design, Consumption Function app doesn't support Vnet integration. Instead you can host your function app in Flex Consumption plan which supports Vnet Integration.

    Refer the below documentation for more information about Flex Consumption Functions.

    1. Flex Consumption Plan Hosting.
    2. Work/Create Flex Consumption Plan Functions
    3. Cmdlets to check which regions this Flex Consumption Plan is supported.

    Hope this helps, let me know if you have any further questions on this.

    Please accept as Yes if the answer is helpful so that it can help others in the community.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amrinder Singh 5,555 Reputation points Microsoft Employee
    2024-12-12T17:45:26.6833333+00:00

    Hi Ryan Donaghy

    Thanks for reaching out over Q&A Forum

    Do you have any networking limitation on the storage account? If yes, although you might have appropriate roles this could be the blocker.

    For quick isolation, try enabling access from all the networks and if that works add your function app to a VNET and have VNET whitelisted on the account level.

    Hope this information helps! please let us know if you have any further queries. I’m happy to assist you further.

    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.