I am trying to get my azure function, containing a couple of blob and queue triggers to work with managed identity, instead of a connection string. But I am facing the error:

Azure.Storage.Blobs: This request is not authorized to perform this operation using this permission... AuthorizedPermissionMismatch...

I have added the roles of Storage Blob Data Contributor, Storage Queue Data Contributor and Storage Blob Data Owner to the function app on the storage account. And I have the following environment variable in my function app:

AzureWebJobsStorage__accountName: testStorage28372162

My Blob- and Queue-trigger utilizes Managed Identity just fine, they are configured as so:

BlobStoragen__accountName: testBlobStorage32312
BlobStoragen__credential: managedidentity
BlobStoragen__blobServiceUri: https://testBlobStorage32312.blob.core.windows.net

And the queue in the same way.

What am I missing?

(confirmed working, you can skip to Third try to see final solution)

First try

let me give it a try. question, did you add both below in the app setting for AzureWebJobsStorage?

"AzureWebJobsStorage__accountName": "rgbeta18230",
"AzureWebJobsStorage__credential": " managedidentity",

I have created the exact func app based on your description, blob trigger in storage account rgbeta18230blob and AzureWebJobs in rgbeta18230.

test1: using AzureWebJobsStorage with connection string, trigger works.

test2: removed AzureWebJobsStorage and added "AzureWebJobsStorage__accountName": "rgbeta18230" only, getting the same error as yours:

test3: further added "AzureWebJobsStorage__credential": " managedidentity", trigger works again.

In short, AzureWebJobsStorage__credential is needed to tell the FA to use managedidentity. leaving it out will not use managedidentity. Please give it a try.

My c# func app host.json below:

Second try

refer to this link, https://docs.azure.cn/en-us//azure-functions/functions-reference?tabs=blob&pivots=programming-language-csharp, under Grant permission to the identity.

The AzureWebJobsStorage connection is used internally for blobs and queues that enable the trigger. If it's configured to use an identity-based connection, it needs extra permissions beyond the default requirement. The required permissions are covered by the Storage Blob Data Owner, Storage Queue Data Contributor, and Storage Account Contributor roles.

I also checked my working FA's rabc on the storage account, these 3 roles are assigned. Also tried to take out Storage Account Contributor , the FA gave same error.

additional information from github repo: Regarding the Storage Account Contributor, that should only be needed if you are using a blob trigger, I believe. The account metadata needs to be read to handle the $logs collection used for managing the trigger state.

https://github.com/Azure/azure-functions-host/issues/8135#issuecomment-1040879695 https://github.com/Azure/Azure-Functions/issues/2189

Third try

Second try has resolved FA permission issue however the blob trigger still fails. further research shows more RBAC is need and also app setting. paste my full configuration below that works for FA and trigger.

1- RABC for rgbeta18230

this is for AzureWebJobsStorage, please add Storage Queue Data Contributor

this Storage Queue Data Contributor is to resolve this error in app insight

2- RABC for rgbeta18230blob

this is blob trigger

3- App setting for FA

please add the BlobStoragen_queueServiceUri