Don't 'hardcode' the storage account connection string for the storage account that backs azure functions
Currently each Function App has an application setting string "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING"which is a fixed (=hardcoded) connection string. This breaks when performing key rotation on the connection string and is opaque to diagnose since that setting is automatically setup by the portal UI/wizard.
Can you instead just store the subscription ID and storage account name and then fetch the latest connection string for the storage account using the management API? This will make sure that the function app survives storage account key rotations
This makes sense. We are working on solutions to enable storing the secret in Key Vault and account for rotation. There is some additional validation logic that needs to be relaxed to enable these scenarios.
Jesper Kristensen commented
Please allow connecting to the storage account using Managed Identity
this is looking more and more like something the community should take control of either altruistically via github or not via the azure marketplace re: https://stackoverflow.com/questions/64321665/managing-the-rotation-of-azure-storage-account-keys-with-azure-function-and-key
Jiri Formacek commented
Hello, it's been 2 years since last update. Has there been any progress since? We're just deciding if we should invest effort into development of custom logic to manage storage account connection string on custom web apps, so would be good to know if the feature is on horizon
What is the ETA on this?
hi, is there any update on this? There are other hardcoded connection strings like AzureWebJobsStorage and AzureWebJobsDashboard, and the function breaks when there's a auto key rotation in the storage account, is there a recommended way to fix this issue? thanks!