4

I have an azure function app in a "development" subscription that's created from a bicep template that's run from a devops pipeline. The function app is hosted on a windows app service plan that's happily running other function apps. The app settings are shown below:

var functionAppSettings = {
  WEBSITE_RUN_FROM_PACKAGE: 1
  AzureWebJobsStorage__accountname: storageAccountName
  FUNCTIONS_EXTENSION_VERSION: '~4'
  FUNCTIONS_WORKER_RUNTIME: 'dotnet-isolated'
}

It uses the managed identity of the function app to connect to its storage account. I've ensured the storage account has 'Storage Blob Data Contributor' and 'Storage Queue Data Contributor' role membership on the storage account.

If I run the following azure cli:

az functionapp keys list --name <func app name> --resource-group <rg name> --query functionKeys.default | tr -d '"'

Then I get the response: Operation returned an invalid status 'Bad Request'

I thought I'd test to see if the function app had connectivity / permission to its storage account by asking it to create a new key using the following azure cli:

az functionapp keys set -g <rg name> -n <func app name> --key-type functionkeys --key-name MyHostKey

This also came back with: ERROR: Operation returned an invalid status 'Bad Request'

However, I then took a look in the storage account and could see a host.json in a blob container named "azure-webjobs-secrets". The content of host.json did contain an entry for MyHostKey.

The function app does have vnet integration configured and makes use of a nat gateway attached to its subnet. The storage account has "Public network access Enabled from all networks" set.

If I browse to the "App keys" blade for the function app it shows no keys:

enter image description here

The same devops pipeline later deploys to a "test" subscription and that has no problems. I have tried deleting everything from the resource group of the "development" subscription and re running the devops pipeline but still hit the same problem.

I've read the docs and followed the steps from this blog post but without success.

Improve this question

2 Answers 2

Reset to default
2

Here are a few things you could investigate:

  1. Ensure that the app settings (especially AzureWebJobsStorage) correctly point to the storage account you're expecting it to use.

  2. The logs from Application Insights (which needs to be enabled for the Function App) might provide more detailed error messages.

  3. Ensure that the Function App has access to Azure Storage endpoints. This is typically done through service endpoints or private endpoints.

  4. Sometimes these errors can occur due to Azure CLI version incompatibilities, make sure it's updated to the latest version.

  5. If you have set up CORS on your storage account, ensure that the necessary origins are allowed.

Lastly, try deploying the function manually and see if it works. This will help isolate whether the issue is with the app or the way it is being deployed.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for your help. 1. Double checked. 2. Nothing of interest. 3. The storage account has "public network access Enabled from all networks". 4. I'm trying to view the host keys before any app code is deployed. 5. The function app is in the same resource group and region as the storage account - I don't think CORS is relevant?
Are there firewall settings enabled in the storage account? Is the function in the "Running" state? Can you try using PowerShell instead of AzCLI?
How did you go with this one Rob?
Hi Nick, the MS support team suggested I delete all containers from the storage ac and re-run the pipeline. That fixed it but I'm still trying to figure out root cause. Will update here once I know
1

The only way I was able to resolve this was to ensure that the AzureWebJobsStorage Configuration setting was correctly configured, and then I had to delete the folders in the blob storage that related to this Function App.

Thinking back, there might have just been a locked lease on a file that I could have removed. If you don't want to delete everything, check for leased files first. Otherwise, deleting all of the Storage Files and restarting the Function App worked for me.

Improve this answer

3 Comments

I was creating function with Bizep and somehow used a wrong formatted storageaccount string Used format from azure docs, deployed from scratch and the keys appeared learn.microsoft.com/en-us/azure/azure-functions/…
When you say Storage Files, do you mean the function app writes to a File Share, or do you mean blobs from a container?
The Azure Function App writes to the connected Storage Account's Blob Storage Container. If you search that Storage Account, you should be able to see references to your Azure Function App's name.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.