Recently, while setting up a Function App to use User Assigned Managed Identity (UAMI) to authenticate to its AzureWebJobsStorage I encountered SyncTriggerfailure.
I checked whether the UAMI had necessary RBAC roles to work on AzureWebJobsStorage — it had. So, I wasn’t sure what the issue was.
Analyzing further, I realized I had skipped a few mandatory variable settings to enable UAMI based authentication to AzureWebJobsStorage (setting the environment variable AzureWebJobsStorage__accountName alone does not suffice)
Steps to enable UAMI access to AzureWebJobsStorage
Enabling UAMI access to AzureWebJobStorage involves changes in Terraform (when the Function App is created), the App Settings (Environment variables) and finally the Role Based Access.
Terraform
If for some reason you want to use UAMI to authenticate with AzureWebJobsStorage, then Terraform block **functionAppConfig.deployment.storage.authentication**: should look like below
Note: I am using Flex Consumption tier
authentication = {
type = “userassignedidentity”
userAssignedIdentityResourceId = “
}
This tells the platform to use UAMI for the deployment package blob container — the part that isn’t controlled by app settings.
App settings
Once the Function App is deployed with usermanagedidentity as authentication type (terraform), ensure the below variables are set in the Function App’s Environment variables
AzureWebJobsStorage__accountName =
AzureWebJobsStorage__credential = managedidentity
AzureWebJobsStorage__clientId =
All three settings are mandatory.
RBAC
This is the final bit. We have the Function App deployed, environment variables set, next, the UAMI needs privilege to access the storage account.
Provide Storage Blob Data Owner owner role to the UAMI on the storage account
With these three changes, your Function App will authenticate with its AzureWebJobsStorage using UAMI.
Caveat: Although this works, the issue with this approach is all services that are assigned this UAMI will gain access to the function’s storage account. This is not ideal if many services share the same UAMI. The better option will be to use System Assigned Managed Identity (SAMI) for authentication between Function App and its storage account. For the rest of the outbound calls that the functions might make, use UAMI.
Using System Assigned Managed Identity
To use SAMI just setAzureWebJobsStorage__accountName — SAMI is the default, no additional settings needed. Next, give SAMI Storage Blob Data Owner on the storage account. If you are using Terraform to deploy the authentication block of the Function App will look like this —
authentication = {
type = “systemassignedidentity”
}
SAMI is my preferred method for authentication with the AzureWebJobsStorage for the reasons already discussed in the caveat section.
Summary
Configuring a Function App to authenticate with its AzureWebJobsStorage using managed identity requires changes at three levels — Terraform, app settings, and RBAC — and all three must be consistent with each other. For UAMI, all three AzureWebJobsStorage__* settings are mandatory; omitting any one of them will cause the runtime to fail. However, personally I feel UAMI for AzureWebJobsStorage is rarely the right choice — since UAMI is a shared identity, every service assigned to it inherits access to the storage account. SAMI, which requires only AzureWebJobsStorage__accountName and a single role assignment, is the simpler and safer default for this use case.