Don't 'hardcode' the storage account connection string for the storage account that backs azure functions
Currently each Function App has an application setting string "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING"which is a fixed (=hardcoded) connection string. This breaks when performing key rotation on the connection string and is opaque to diagnose since that setting is automatically setup by the portal UI/wizard.
Can you instead just store the subscription ID and storage account name and then fetch the latest connection string for the storage account using the management API? This will make sure that the function app survives storage account key rotations
This makes sense. We are working on solutions to enable storing the secret in Key Vault and account for rotation. There is some additional validation logic that needs to be relaxed to enable these scenarios.
hi, is there any update on this? There are other hardcoded connection strings like AzureWebJobsStorage and AzureWebJobsDashboard, and the function breaks when there's a auto key rotation in the storage account, is there a recommended way to fix this issue? thanks!