Cannot deploy to a function hosted on Linux Consumption plan when AzureWebJobsStorage config setting is Key Vault reference
See original GitHub issueWhen a function hosted on Linux Consumption plan has AzureWebJobsStorage configuration setting set to valid Key Vault reference, errors block successful deployment via Az CLI and Functions CLI.
Investigative information
Please provide the following:
- Timestamp: 2021-03-26 04:06:00 UTC
- Function App version: ~3 runtime, dotnet-isolated (.NET 5)
- Function App name: oe-twitch-eus-identity-2021-03-15-func
- Function name(s) (as appropriate): N/A
- Invocation ID: N/A
- Region: East US
Repro steps
- Create Function App using Linux Consumption plan
- Enable Function System-Assigned Managed Identity
- Create Azure Key Vault and grant Function App identity Secret List/Get permissions in Key Vault ACL
- Add Key Vault secret containing the Function’s Storage Account connection string as a value
- Update the Function App AzureWebJobsStorage to be a Key Vault reference
- Attempt to deploy a function app via Az CLI or Functions CLI.
Expected behavior
- Step 6 will successfully deploy the code to the Function App
Actual behavior
Az CLI fails with the following errors:
az functionapp deployment source config-zip -g OE-TWITCH-EUS -n oe-twitch-eus-identity-2021-03-15-func --src .\bin\publish\publish.zip
The command failed with an unexpected error. Here is the traceback:
You need to provide an account name and either an account_key or sas_token when creating a storage service.
Traceback (most recent call last):
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-taryuzhh\knack\cli.py", line 233, in invoke
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-sc_lkrar\azure\cli\core\commands\__init__.py", line 660, in execute
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-sc_lkrar\azure\cli\core\commands\__init__.py", line 723, in _run_jobs_serially
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-sc_lkrar\azure\cli\core\commands\__init__.py", line 716, in _run_job
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-l7ikczg1\six.py", line 703, in reraise
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-sc_lkrar\azure\cli\core\commands\__init__.py", line 694, in _run_job
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-sc_lkrar\azure\cli\core\commands\__init__.py", line 331, in __call__
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-sc_lkrar\azure\cli\core\__init__.py", line 808, in default_command_handler
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-ibh5mnup\azure\cli\command_modules\appservice\custom.py", line 385, in enable_zip_deploy_functionapp
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-ibh5mnup\azure\cli\command_modules\appservice\custom.py", line 543, in upload_zip_to_storage
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-r6yjb8kq\azure\multiapi\storage\v2018_11_09\blob\blockblobservice.py", line 146, in __init__
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-r6yjb8kq\azure\multiapi\storage\v2018_11_09\blob\baseblobservice.py", line 209, in __init__
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-r6yjb8kq\azure\multiapi\storage\v2018_11_09\common\_connection.py", line 110, in get_service_parameters
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-r6yjb8kq\azure\multiapi\storage\v2018_11_09\common\_connection.py", line 161, in _from_connection_string
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-unpacked-wheel-r6yjb8kq\azure\multiapi\storage\v2018_11_09\common\_connection.py", line 85, in __init__
ValueError: You need to provide an account name and either an account_key or sas_token when creating a storage service.
To open an issue, please run: 'az feedback'
Functions CLI fails with the following errors:
func azure functionapp publish oe-twitch-eus-identity-2021-03-15-func
Microsoft (R) Build Engine version 16.9.0+57a23d249 for .NET
Copyright (C) Microsoft Corporation. All rights reserved.
Determining projects to restore...
All projects are up-to-date for restore.
func-dotnet5 -> C:\Users\ryan\source\repos\func-dotnet5\bin\publish\func-dotnet5.dll
Determining projects to restore...
Restored C:\Users\ryan\AppData\Local\Temp\ure1mi1o.wlg\WorkerExtensions.csproj (in 1.14 sec).
WorkerExtensions -> C:\Users\ryan\AppData\Local\Temp\ure1mi1o.wlg\buildout\Microsoft.Azure.Functions.Worker.Extensions.dll
Build succeeded.
0 Warning(s)
0 Error(s)
Time Elapsed 00:00:08.79
Getting site publishing info...
Uploading package...
Error creating a Blob container reference. Please make sure your connection string in "AzureWebJobsStorage" is valid
Retry: 1 of 3
Error creating a Blob container reference. Please make sure your connection string in "AzureWebJobsStorage" is valid
Retry: 2 of 3
Error creating a Blob container reference. Please make sure your connection string in "AzureWebJobsStorage" is valid
Retry: 3 of 3
Error creating a Blob container reference. Please make sure your connection string in "AzureWebJobsStorage" is valid
Known workarounds
- Do not use a Key Vault reference for AzureWebJobsStorage setting on a Linux Consumption plan
- Use a Windows Consumption plan appears to work with AzureWebJobsStorage as Key Vault reference
Related information
Provide any related information
- Programming language used: .NET 5
- Links to source: N/A
- Bindings used: N/A
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:10 (3 by maintainers)
Top Results From Across the Web
Use Key Vault references - Azure App Service
This article shows you how to use secrets from Azure Key Vault as values of app settings or connection strings in your App...
Read more >AzureWebJobsStorage, the secret you don't need in your ...
A solution could be to store the AzureWebJobsStorage secret value in an Azure Key Vault and use a Key Vault reference to link...
Read more >KeyVault reference not working for Linux Python Azure ...
It's a bug with Azure Functions Linux Apps. SecretUri does not resolve with a Consumption Plan, but works with a Premium Plan.
Read more >azurerm_function_app | Resources | hashicorp/azurerm
Setting this value only affects function apps under the consumption plan. enabled - (Optional) Is the Function App enabled? Defaults to true ....
Read more >How to set up automated deployment of a Linux function ...
This tutorial/explainer is tailored to fellow hackers setting up their apps on the Linux Consumption plan. It is in many ways generic in...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Yes, didn’t get a chance to work on this. Sprint 101 is good. Thanks
This is crucial, why is it not touched for years? Also, there is no good error message or notification that tells the developer that this is not supported. I wasted hours here!