[Bug] DevOps pipeline fails when Azure function is configured to access its Storage account using Managed identity

[spmanjunath]

Hi,

I am trying to setup managed identity based access between Azure function and its storage account, as it is explained here. I want to accomplish this using Azure pipeline with Bicep, however it appears that the pipeline will succeed deploying the app only if there is AzureWebJobsStorage configured. The error i get during app deployment is below, ##[error]Error: Unable to find the storage account associated with the function app.

Below are key parts of Bicep file:

resource functionAppProductionSlotSettings 'Microsoft.Web/sites/config@2021-03-01'= {
  name: '${functionApp.name}/appsettings'
  properties:{
    'FUNCTIONS_EXTENSION_VERSION':'~4'
    'FUNCTIONS_WORKER_RUNTIME': 'dotnet-isolated'
 //.....THIS IS NECESSARY FOR PIPELINE TO WORK
    // 'AzureWebJobsStorage': 'DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};EndpointSuffix=${environment().suffixes.storage};AccountKey=${storageAccount.listKeys().keys[0].value}' 
    'AzureWebJobsStorage__accountName':storageAccount.name
  }
}
.......
.......
resource roleAssignmentForStorageAccount 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(storageAccount.id, functionApp.id, functionAppName)
  scope: storageAccount
  properties:{
    principalType: 'ServicePrincipal'
    principalId: functionApp.identity.principalId
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')//STORAGE BLOB DATA OWNER
  }
}

Please suggest how to overcome the above issue. Thanks.

[spmanjunath]

Is this a known issue, if not, please suggest where the implementation is wrong. Thanks.

[tjcorr]

This repository only covers the GitHub Action: Azure/pipelines Other Azure DevOps questions can be raised via a support ticket or through the community hub: https://techcommunity.microsoft.com/t5/azure-devops/bd-p/AzureDevOpsForum