How to use SAS connection string from storage account in Azure function application setting

0
votes

I can run function app by using connection string from access key from storage account and putting it into function application setting

Function application setting

However, if I generate SAS and connection string from Shared access signature menu in storage account and use that connection string in my function app setting, I can' get function running.

Here is my SAS connection string: BlobEndpoint=https://StorageAccountName.blob.core.windows.net/;QueueEndpoint=https://StorageAccountName.queue.core.windows.net/;FileEndpoint=https://StorageAccountName.file.core.windows.net/;TableEndpoint=https://StorageAccountName.table.core.windows.net/;SharedAccessSignature=sv=2019-10-10&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-06-10T11:28:43Z&st=2020-06-10T03:28:43Z&spr=https,http&sig={signature}

Function Json

{
  "generatedBy": "Microsoft.NET.Sdk.Functions-3.0.1",
  "configurationSource": "attributes",
  "bindings": [
    {
      "type": "blobTrigger",
      "connection": "StorageAccountName",
      "path": "containerName/{name}",
      "name": "myBlob"
    }
  ],
  "disabled": false,
  "scriptFile": "../bin/FunctionDemoBlobTrigger.dll",
  "entryPoint": "BlobTriggerFunctionName.BlobTrigger.Run"
}

Hitting function URL gives 'Function host is not running' error.

Running function app in test mode gives 'Status: 500 Internal Server Error' error.

Update After encoding SharedAccessSignature portion of the connection string, I am getting error enter image description here

2
azure-functionsazure-storageazure-storage-blobsazure-function-appsas-token
Are you URL encoding your SAS connection string?Gaurav Mantri
@Gaurav I am using connection string as it is. I haven't encoded it.Sonam Mohite
Can you try encoding it? Essentially encode the SharedAccessSignature portion of the connection string (replace & with &).Gaurav Mantri
Which the doc did you refer to? I don't think it was supported.Joy Wang-MSFT
@Joy I did not follow any document. It was just one of the requirement to use SAS token in connection string.Sonam Mohite

2 Answers

0
votes

I don't think it was supported to use the SAS connection string in AzureWebJobsStorage.

From the doc, here and here, always use the storage account key in AzureWebJobsStorage.

And if you try to create a new blob trigger in the portal, you will find only the app setting which meets the format as DefaultEndpointsProtocol=https;AccountName=[name];AccountKey=[key] will be found, any other value will appear unavailable. For the exisitng one, if you change the app setting, you will get the 500 error.

enter image description here

So if in your case, you don't want to use the accout key because of the security issue, there is a good workaround is to use the Azure keyvault.

Store the account key as a secret in the keyvault, enable the system-assigned identity of the function app(user-assigned identity is not supported currently, the function app can have both of them at one time), add it to the access policy of the keyvault, then specify the app setting like @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931).

After the configuration, it will be like below.

enter image description here

For more details, see Reference - Use Key Vault references for App Service and Azure Functions

0
votes

If you are specifying a SAS in a connection string in a configuration file, you may need to encode special characters in the URL via Html Encode.

<add name="AzureWebJobsStorage" connectionString="BlobEndpoint=https://xxx.blob.core.windows.net/;QueueEndpoint=https://brucechen01.queue.core.windows.net/;SharedAccessSignature=sv=2020-06-10&amp;ss=bq&amp;srt=sco&amp;sp=rwdlacup&amp;se=2020-06-30T18:39:25Z&amp;st=2020-06-25T10:39:25Z&amp;spr=https&amp;sig={signature}" />