AzureFunctionApp does not work with storage account key vault reference and linux consumption plan

[cveld]

Required Information

Entering this information will route you directly to the right team and expedite traction.

Question, Bug, or Feature?
Type: Bug

Enter Task Name: AzureFunctionApp

list here (V# not needed):
https://github.com/microsoft/azure-pipelines-tasks/tree/master/Tasks/AzureFunctionAppV1 https://github.com/microsoft/azure-pipelines-tasks/tree/master/Tasks/AzureFunctionAppV2 Interestingly, v2 does not seem to be published to the market place?

Environment

• Azure Pipelines

  • If using Azure Pipelines, provide the account name, team project name, build definition name/build number: I can disclose this information through private channels

Issue Description

When deploying a function app to a linux consumption plan hosted function app service with a key vault reference in the property AzureWebJobsStorage, the task will fail with the error message: Unable to find the storage account associated with the function app. Value I am using: @Microsoft.KeyVault(VaultName=myvault;SecretName=mystorageaccount-ConnectionString)

Interestingly deploying through Visual Studio 2022 (17.2) works fine. func cli fails; version 4.0.4590 with the error Error creating a Blob container reference. Please make sure your connection string in "AzureWebJobsStorage" is valid. For this it appears there is already an issue opened: https://github.com/Azure/azure-functions-core-tools/issues/2564

Task logs

I can disclose this through private channels

[bennycoomans]

I have the same issue. For now, I resorted to setting the connection string directly for the AzureWebJobsStorage key, instead of using a key vault reference. However, this feels less secure, so it would be great if this could be fixed.

@nadesu , this issue has been auto-assigned to you, would you play a role in addressing this issue and if so, do you have any idea if this will be fixed somewhere in the (near or distant) future?

[FinVamp1]

Hi, I will test this soon and come back to this work item and update you.

[databrickstrainer]

Any update on this issue? It seems like it's still a problem...

[FinVamp1]

Hi, still thinking about how best to implement this. Would you be happy to add the Service Principal directly and manually to the Key Vault to enable this functionality?

[cveld]

Which service principal?

• ideally we should be leveraging managed identity. The function app MI should have the appropriate azure rbac permissions onto the storage account
• when using connectionstring stored in a key vault secret as a fallback, the function app MI should have appropriate rbac permissions on the key vault secret. Like the other settings work.

In both cases this should be done upfront before running the azure pipelines task.

[github-actions[bot]]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

[bennycoomans]

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days

I don't think this issue should be closed.

[Saulopv]

This is still a problem for me, not stale.

[af-mst]

Has there be any progress? We moved all access to Storage Sccounts to RBAC, for the deployments we still have to have the Storage Connectionstring in the portal settings under AzureWebJobsStorage :(

[reubano]

Same issue. I found this SO answer that claims to have gotten it to work by setting appSettings in the pipeline yaml. I haven't been able to reproduce though.

[gudbrand3]

I have had the same issue and after a lot of digging found this post. I'm experiencing the same, actually the same issue for both

• Function App - Linux - Consumption plan
• Function App - Windows - Consumption plan

The;

• WEBSITE_CONTENTAZUREFILECONNECTIONSTRING resolves correctly to keyvault
• AzureWebJobsStorage does not resolve to keyvault and fails. Setting the connection string to the same value as the keyvault secret using ARM makes it work (no keyvault..)

I have tested det SO answer @reubano for both cases Linux and Windows but couldn't get it working so I'm not sure but have my doubts, it says nothing about which app plan is been used as far as I can tell, so might not be consumption based.

To me it seems like a clear limitation/bug of consumption based app plans and something Microsoft should address giving they say best practice is to use keyvault for secrets. it cant be 90%