0

I can't seem to find clear documentation on how to set a System-assigned Managed Identity-based connection for my Queue-triggered Azure Function.

Steps taken:

  1. Enabled System-assigned Managed Identity (SAMI) for the Azure Function
  2. On the Queue Storage Account, granted the SAMI Storage Queue Data Reader and Storage Queue Data Message Processor Roles per this doc.
  3. Ensured the Extension Version is 5.0.0 or later
"extensionBundle": {
    "id": "Microsoft.Azure.Functions.ExtensionBundle",
    "version": "[4.*, 5.0.0)"
  }
  1. Added a connection value to the Function's function.json file:
{
  "scriptFile": "__init__.py",
  "bindings": [
    {
      "name": "msg",
      "type": "queueTrigger",
      "direction": "in",
      "queueName": "my-q",
      "connection": "QUEUE_CONN"
    }
  ]
}
  1. Added a QUEUE_CONN__queueServiceUri app setting to the Function's local.settings.json file per this SO question, which references this doc.
{
  "IsEncrypted": false,
  "Values": {
    "FUNCTIONS_WORKER_RUNTIME": "python",
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "QUEUE_CONN__queueServiceUri": "https://<my-q-storage>.queue.core.windows.net"
  }
}
  • After func azure functionapp publish <my-function> --publish-local-settings, and writing the appropriate setting to Azure...the function will not trigger when adding a new queue.

  1. I also tried adding QUEUE_CONN__managedIdentityResourceId per this (contradicting?) doc. But this didn't seem to trigger the Function upon adding a queue.

  2. Also tried adding "QUEUE_CONN__credential": "managedidentity". Still unable to trigger the function.

I'd really like to get away from dealing with a Key Vault secret when all other connections within the function rely on SAMI auth.

Any ideas?

Improve this question

2 Answers 2

Reset to default
2

Even I received the same error code as yours, In order to make this Queue Trigger with managed Identity work, I have tried two methods and both of them worked successfully:-

Approach 1:-

My Local Function code:-

function.json:-

{
  "scriptFile": "__init__.py",
  "bindings": [
    {
      "name": "msg",
      "type": "queueTrigger",
      "direction": "in",
      "queueName": "queue1",
      "connection": "valleystrg1_STORAGE"
    }
  ]
}

init.py:-

import logging

from azure.functions import QueueMessage


def main(msg: QueueMessage) -> None:
    logging.info('Python queue trigger function processed a queue item: %s',
                 msg.get_body().decode('utf-8'))

local.settings.json:-

Note- settings from local.settings.json does not get uploaded to Function App configuration settings, As the local.settings.json file is .gitignored.

My Function App configuration settings:-

Note- My deployed function.json has valleystrg1_STORAGE in the connection as it is, I have just edited the Connection String in Configuration application setting like below:-

valleystrg1_STORAGE__queueServiceUri:https://valleystrg1.queue.core.windows.net

enter image description here

enter image description here

Provided Storage Queue Data Contributor role to my Function App managed Identity on Storage account level which has my queue:-

enter image description here

enter image description here

Output:-

enter image description here

enter image description here

Approach 2:-

Portal:-

I have directly created a Queue Trigger via Portal Edit:-

enter image description here

valleystrg2_STORAGE__queueServiceUri:https://valleystrg2.queue.core.windows.net

My function.json:-

{
  "bindings": [
    {
      "name": "msg",
      "type": "queueTrigger",
      "direction": "in",
      "queueName": "queue1",
      "connection": "valleystrg2_STORAGE"
    }
  ]
}

enter image description here

Added The function app managed identity Storage Queue Data Contributor role at Storage account level:-

enter image description here

Output:-

enter image description here

enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Thanks for the detailed screenshots. Just an FYI, you can publish the key/value pairs in your local.settings.json file as App Settings by using func azure functionapp publish <your-function-app-name> --publish-local-settings. You need to be mindful of which values you publish.

Improve this answer

1 Comment

Worked for me. I was missing the correct RBAC permission. I had Storage Queue Data Processor instead of Storage Queue Data Contributor. Thanks again.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.