Insufficient RBAC roles for a queue trigger with a managed identity

[mderriey]

Hi 👋

The feedback applied specifically to the "Grant permissions to the identity" section.

The RBAC roles listed for a queue trigger are Storage Queue Data Reader and Storage Queue Data Message Processor.

However, these are not sufficient for the case where a message fails processing and is released to the queue. This is an update message operation which is not covered by the roles mentioned in the documentation. The behavior of releasing the message to the queue is baked in the Storage Queues extension, my application doesn't have any custom code using the Storage Queues client library.

The stack trace looks something like:

Azure.RequestFailedException: This request is not authorized to perform this operation using this permission.
  at Azure.Storage.Queues.MessageIdRestClient+<UpdateAsync>
  at Azure.Storage.Queues.QueueClient+<UpdateMessageInternal>
  at Azure.Storage.Queues.QueueClient+<UpdateMessageAsync>
  at Microsoft.Azure.WebJobs.Host.Queues.QueueProcessor+<ReleaseMessageAsync>
  at Microsoft.Azure.WebJobs.Host.Queues.QueueProcessor+<CompleteProcessingMessageAsync>
  at Microsoft.Azure.WebJobs.Extensions.Storage.Common.Listeners.QueueListener+<ProcessMessageAsync>

The issue is that this exception bubbles up to the WebScriptHostExceptionHandler which shuts down the host, meaning the app is down and doesn't process messages for a couple of minutes in our case.

Some details:

• Function app using .NET isolated model running on .NET 8.
• Microsoft.Azure.Functions.Worker.Sdk v1.17.2.
• Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues v5.3.0.

For us, the workaround is to assign the Storage Queue Data Contributor role to the identity we're using.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 0d3f6c78-7b6c-f3eb-3d5b-300db1cab371
• Version Independent ID: 1e9cae04-88b2-dac7-561f-552469b02023
• Content: Azure Queue storage output binding for Azure Functions
• Content Source: articles/azure-functions/functions-bindings-storage-queue-output.md
• Service: azure-functions
• GitHub Login: @ggailey777
• Microsoft Alias: glenga

[Naveenommi-MSFT]

@mderriey Thanks for your feedback! We will investigate and update as appropriate.

[ggailey777]

Thanks @mderriey for the feedback. @mattchenderson can you verify this and I'll update the article?

[RyanHill-MSFT]

Thanks for looking into this @ggailey777 and @mattchenderson.