Open mhoeger opened 3 years ago
mhoeger
commented
3 years ago Currently - WEBSITE_CONTENTAZUREFILECONNECTIONSTRING as a key vault reference is not supported for creation, it can only be the full connection string. Then, it can be updated to use key vault references
haroldwongms
commented
3 years ago @mhoeger - If we are trying to only use ARM templates to accomplish the configuration of the App Function, I am trying to figure out how to update the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING with Key Vault reference after the initial deployment. I tried using this immediately after creating the function app:
{
"name": "[concat(variables('functionAppName'), '/appsettings')]",
"type": "Microsoft.Web/sites/config",
"apiVersion": "2020-09-01",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('functionAppName'))]"
],
"properties": {
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('appServiceStorageAccountKeyId'), '2019-09-01').secretUriWithVersion, ')')]"
}
}However, I get this error even though I have a User Assigned Identity associated to the function app and the original creation step successfully created other settings with Key Vault references:
{ "status": "Failed", "error": { "code": "BadRequest", "message": "Unable to resolve Azure Files Settings from Key Vault. Details: Attempt to resolve AppSettingKey WEBSITE_CONTENTAZUREFILECONNECTIONSTRING resulted with status: MSINotEnabled.", "details": [ { "message": "Unable to resolve Azure Files Settings from Key Vault. Details: Attempt to resolve AppSettingKey WEBSITE_CONTENTAZUREFILECONNECTIONSTRING resulted with status: MSINotEnabled." }, { "code": "BadRequest" }, {} ] } }
What other option do we have?
haroldwongms
commented
3 years ago Figured out my error on applying app settings after function app deployment
j2020v
commented
3 years ago Hi is there an ETA on this issue? I am deploying a consumption plan based function app and is unable to perform a swap slot due to missing args in the app settings:
Error: BadRequest - Storage access failed. WEBSITE_CONTENTAZUREFILECONNECTIONSTRING or WEBSITE_CONTENTSHARE appsetting is missing (CODE: 400)
What would be the workaround for deploying using yml?
eduards-vavere
commented
2 years ago Hi,
This is a real issue. I am not able to reference keyvault in ARM/Bicep template function app env settings:
{ name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' value: '@Microsoft.KeyVault(SecretUri=
mdddev
commented
2 years ago I am having the same problem, I cannot create a deployment slot off the main app if the app settings is using a key vault reference. I already tried 'allowing trusted Microsoft services' (ARM included) to bypass network restrictions and to enable the key vault for ARM deployments.
Maybe, using bicep, there is a way to execute an "update-setting-with-key-vault-ref" command immediately after deployment?
gjdonkers
commented
1 year ago Currently - WEBSITE_CONTENTAZUREFILECONNECTIONSTRING as a key vault reference is not supported for creation, it can only be the full connection string. Then, it can be updated to use key vault references
Will this be fixed? Or should we implement the workaround as a solution?
ashugthub
commented
1 year ago Unable to resolve Azure Files Settings from Key Vault. Details: Unable to resolve setting: WEBSITE_CONTENTAZUREFILECONNECTIONSTRING with error: AccessToKeyVaultDenied. I am also facing same issue while setting functionapp appsetting from key vault using syntax '@Microsoft.KeyVault(SecretUri=https://${keyVaultName}${az.environment().suffixes.keyvaultDns}/secrets/${funcAppWebJobStorageName})
snapfisher
commented
1 year ago I received a slightly different error, but it's still an issue.
Failed to update web app settings: Unable to resolve Azure Files Settings from Key Vault. Details: Unable to resolve setting: WEBSITE_CONTENTAZUREFILECONNECTIONSTRING with error: MSINotEnabled.
I was just trying to enable it directly in the portal.
bergmolch
commented
8 months ago Currently - WEBSITE_CONTENTAZUREFILECONNECTIONSTRING as a key vault reference is not supported for creation, it can only be the full connection string. Then, it can be updated to use key vault references
Is this still the case? I am having this issue now.
mdddev
commented
8 months ago Afaik yes. But there is a way if you can live with some limitations regarding scaling.
You can solely rely on the managed identity of your function app to connect to the host storage (there are docs for this). Even during creation this will work. In my case I even deactivated host key access to the storage account altogether, which renders Platin-Text connection strings unusable. If you want do this, leave the following two settings out of your deployment template and assign the proper RBAC permissions as laid out in the docs.
WEBSITE_CONTENTAZUREFILECONNECTIONSTRING
WEBSITE_CONTENTSHARE
mcollier
commented
8 months ago Would setting WEBSITE_SKIP_CONTENTSHARE_VALIDATION to 1 work?
simozyadi
commented
1 month ago Hello,
I hope you're doing well. I recently added the WEBSITE_SKIP_CONTENTSHARE_VALIDATION setting to the Function App configuration. While the Function App was successfully created, I encountered a 503 (Service Unavailable) error when trying to access its homepage.
I ran the "Diagnose and Solve Problems" tool and received a warning under the Configuration and Management tab:
Key Vault Application Settings Diagnostics Uncategorized issues found
Could you please provide any advice on how to resolve this issue?
Thank you for your help.
Regards,
smoonlee
commented
2 weeks ago Still broken š„² Spent 3 hours trying to get this working, Guess I'll go back to my custom module for the storage account.
Per comment here: https://github.com/Azure/azure-functions-host/issues/5306#issuecomment-696561132