Logic App Standard: extension bundle doesn't support connecting to the storage account using Managed Service Identity
I have a Logic App Standard with two workflows, one uses a manual trigger and the other a timer trigger. Both run successfully locally in VSCode. Once deployed to Azure, the function app fails with the following error: Microsoft.WindowsAzure.Storage: Value cannot be null. (Parameter 'connectionString').
It seems that the extension bundle in use doesn't support Managed Service Identity (MSI) when connecting to the storage account, here is my host.json:
{
"version": "2.0",
"logging": {
"applicationInsights": {
"samplingSettings": {
"isEnabled": true,
"excludedTypes": "Request"
}
}
},
"extensionBundle": {
"id": "Microsoft.Azure.Functions.ExtensionBundle.Workflows",
"version": "[1.*, 2.0.0)"
}
}
I have added the following application setting already but it doesn't seem to be supported:
AzureWebJobsStorage__accountName=storageaccountname
Any guidance or advice in where to look in order to find out where the problem is?
Note that there is a policy in place preventing the use of access keys for storage accounts hence the need to connect using MSI.
Standard logic app by default connects to storage account using connection string but if you would like to use identity based connection then you need to go for user assigned managed identity as of now user assigned managed identity is only supported.
You can also refer to this MS Doc which says the same.
By default, your Standard logic app authenticates access to your Azure Storage account by using a connection string. However, you can set up a user-assigned managed identity to authenticate access instead.
In order to authenticate using user-assigned managed identity and disable the use of storage connection string, you need to create the logic app in App Service Environment v3 hosting option.
Add the below RBAC roles to user assigned managed identity instance in storage account.
- Storage Account Contributor
- Storage Blob Data Owner
- Storage Queue Data Contributor
- Storage Table Data Contributor
Add the user-assigned managed identity to your standard logic app instance.
Delete AzureWebJobsStorage from App settings and use the below given values.
AzureWebJobsStorage__managedIdentityResourceId :- Resource Id of User-assigned managed Identity
AzureWebJobsStorage__blobServiceUri :- Storage Blob Service Uri
AzureWebJobsStorage__queueServiceUri :- Storage Queue Service Uri
AzureWebJobsStorage__tableServiceUri :- Storage Table Service Uri
AzureWebJobsStorage__credential :- managedIdentity
Save the changes. You might get a message "AzureWebjobsStorage" app setting is not present. in Overview blade of your logic app but it will not affect the logic app and will work as expected.
- Azure PowerShell command to list all Azure VM SKU Sizes enabled for Confidential Computing Azure ACC
- Create Azure TimerTrigger Durable Function in python
- Azure File Share: Cannot map network drive
- RBAC with bicep
- ADF expression to convert array to comma separated string
- How to get status of Azure machine learning service pipeline run using Rest Api?
- How do I deploy a Nuxt 3 solution to an Azure Node Web App
- Azure Blob Upload not working in ASP .Net Core Application
- How to clear a Cosmos DB database or delete all items using Azure portal
- Using script commands, how to add multiple scale rules to an Azure Container App?
- User Assigned Managed Identity: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId
- Generate resources dynamically from another group of dynamically generated resources in Terraform
- Column reordering in ADF
- Logic App AuthorizationFailure - vnet integration needed
- Azure blob, controlling filename on download
- Azure VNet peering with Private Link
- Get Private FQDNs, IPs, Names of the Private Endpoints for the Azure resources deployed in an Virtual Network using PowerShell Script
- How to configure appsettings on a auto-generated preview environment
- Using Azure DevOps, how do I migrate a release pipeline to code, similar to build pipeline yml?
- Root login Ubuntu VM on Azure
- Filtering azure devops release build based upon build tag with "Continuous deployment trigger"
- Azure WebApp autoscale
- How to handle long startup times in Azure App Service deployment
- Frontend not available when front and back on same Web App Azure
- Use Salesforce Connectors from Hosted Azure Logic App in VSCode?
- What is considered an ingestion request in Azure Data Explorer?
- Provisioning (SCIM) by Entra/Azure: Why can I not select the "groups" attribute in my attribute mapping?
- Azure function verbose trace logging to Application Insights
- Azure function app GraphServiceClient create list
- Cypress tests fail to run in parallel mode due to mismatched specs between different runs