Azure-functions-host: WEBSITE_CONTENTAZUREFILECONNECTIONSTRING as keyvault reference makes deployment fail

Created on 25 Jan 2021 · 4Comments · Source: Azure/azure-functions-host

Deployment failed. Correlation ID: f171c78c-ad28-4426-aea4-cd9ae0bf57e9. {
  "Code": "BadRequest",
  "Message": "The parameter 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' has an invalid value. Details: Cannot specify key vault references not referencing User Assigned Identity on Create Site.",
  "Target": null,
  "Details": [
    {
      "Message": "The parameter 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' has an invalid value. Details: Cannot specify key vault references not referencing User Assigned Identity on Create Site."
    },
    {
      "Code": "BadRequest"
    },
    {
      "ErrorEntity": {
        "ExtendedCode": "01033",
        "MessageTemplate": "The parameter '{0}' has an invalid value. Details: {1}.",
        "Parameters": [
          "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",
          "Cannot specify key vault references not referencing User Assigned Identity on Create Site"
        ],
        "Code": "BadRequest",
        "Message": "The parameter 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING' has an invalid value. Details: Cannot specify key vault references not referencing User Assigned Identity on Create Site."
      }
    }
  ],
  "Innererror": null
}

Per comment here:
https://github.com/Azure/azure-functions-host/issues/5306#issuecomment-696561132

Source

mhoeger

👍1

Most helpful comment

Figured out my error on applying app settings after function app deployment

haroldwongms on 28 Jan 2021

👍2

All 4 comments

Currently - WEBSITE_CONTENTAZUREFILECONNECTIONSTRING as a key vault reference is not supported for creation, it can only be the full connection string. Then, it can be updated to use key vault references

mhoeger on 25 Jan 2021

😕1

@mhoeger - If we are trying to only use ARM templates to accomplish the configuration of the App Function, I am trying to figure out how to update the WEBSITE_CONTENTAZUREFILECONNECTIONSTRING with Key Vault reference after the initial deployment. I tried using this immediately after creating the function app:

{
  "name": "[concat(variables('functionAppName'), '/appsettings')]",
  "type": "Microsoft.Web/sites/config",
  "apiVersion": "2020-09-01",
  "dependsOn": [
    "[concat('Microsoft.Web/sites/', variables('functionAppName'))]"
  ],
  "properties": {
    "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('appServiceStorageAccountKeyId'), '2019-09-01').secretUriWithVersion, ')')]"
  }
}

However, I get this error even though I have a User Assigned Identity associated to the function app and the original creation step successfully created other settings with Key Vault references:

{
"status": "Failed",
"error": {
"code": "BadRequest",
"message": "Unable to resolve Azure Files Settings from Key Vault. Details: Attempt to resolve AppSettingKey WEBSITE_CONTENTAZUREFILECONNECTIONSTRING resulted with status: MSINotEnabled.",
"details": [
{
"message": "Unable to resolve Azure Files Settings from Key Vault. Details: Attempt to resolve AppSettingKey WEBSITE_CONTENTAZUREFILECONNECTIONSTRING resulted with status: MSINotEnabled."
},
{
"code": "BadRequest"
},
{}
]
}
}

What other option do we have?

haroldwongms on 28 Jan 2021

Figured out my error on applying app settings after function app deployment

haroldwongms on 28 Jan 2021

👍2

Hi is there an ETA on this issue?
I am deploying a consumption plan based function app and is unable to perform a swap slot due to missing args in the app settings:

Error: BadRequest - Storage access failed. WEBSITE_CONTENTAZUREFILECONNECTIONSTRING or WEBSITE_CONTENTSHARE appsetting is missing (CODE: 400)

What would be the workaround for deploying using yml?