Blob trigger support with Service Principle/Managed identity
We are trying to setup a Blob Triggered Function, but we have a limitation to use only Service principal/managed identity to access the storage because of the security concerns in directly using access keys.
We did not find a way to by-pass blob trigger to using connection string.
Theoretically, since Blob Storage is integrated with Azure Active Directory, it should be possible to provide the right RBAC permissions on my Blob Containers so that the Function's identity (Managed Service Identity)/Service principle has whatever permissions are necessary to create the trigger and read from the blobs.
We are expecting azure functions blob trigger to support authentication with Service Principal/managed Identity
Jonathan Jones commented
I would also like this feature. We have another team that needs to ingest data (in a different subscription) and to configure the trigger we now:
- have to expose what are effectively root passwords to individuals
- struggle to rotate the credentials, as with every rotation the other team would need to update their trigger
Please add MI support to Blob triggers asap.
My comment is for a logic app, but I believe it's the same root cause