Microsoft.Azure.WebJobs.Extensions.Storage
cloud
config_error
ai_generated
true
Microsoft.Azure.WebJobs.Extensions.Storage: The value for 'AzureWebJobsStorage' is missing or empty after key rotation
ID: cloud/azure-function-app-storage-connection-string-rotation
90%Fix Rate
85%Confidence
1Evidence
2023-12-05First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Azure Functions: runtime >= 4.x | active | — | — | — |
| Azure Storage: >= 2019-12-12 | active | — | — | — |
| Azure Portal: latest | active | — | — | — |
Root Cause
Rotating the storage account access key for the Function App's default storage connection causes the 'AzureWebJobsStorage' app setting to become invalid, but the setting itself is not automatically updated by the rotation process.
generic中文
轮换 Function App 默认存储连接的存储帐户访问密钥会导致 'AzureWebJobsStorage' 应用程序设置失效,但轮换过程不会自动更新该设置。
Official Documentation
https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#azurewebjobsstorageWorkarounds
-
95% success Update the 'AzureWebJobsStorage' app setting in the Function App with the new storage account key. Use Azure CLI: 'az functionapp config appsettings set --name <function-app-name> --resource-group <rg> --settings AzureWebJobsStorage="DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<new-key>;EndpointSuffix=core.windows.net"'
Update the 'AzureWebJobsStorage' app setting in the Function App with the new storage account key. Use Azure CLI: 'az functionapp config appsettings set --name <function-app-name> --resource-group <rg> --settings AzureWebJobsStorage="DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<new-key>;EndpointSuffix=core.windows.net"'
-
85% success Use managed identity instead of access keys for the storage connection; assign the 'Storage Blob Data Contributor' role to the Function App's system-assigned identity and set 'AzureWebJobsStorage__accountName' instead of the connection string.
Use managed identity instead of access keys for the storage connection; assign the 'Storage Blob Data Contributor' role to the Function App's system-assigned identity and set 'AzureWebJobsStorage__accountName' instead of the connection string.
中文步骤
Update the 'AzureWebJobsStorage' app setting in the Function App with the new storage account key. Use Azure CLI: 'az functionapp config appsettings set --name <function-app-name> --resource-group <rg> --settings AzureWebJobsStorage="DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<new-key>;EndpointSuffix=core.windows.net"'
Use managed identity instead of access keys for the storage connection; assign the 'Storage Blob Data Contributor' role to the Function App's system-assigned identity and set 'AzureWebJobsStorage__accountName' instead of the connection string.
Dead Ends
Common approaches that don't work:
-
80% fail
Restarting doesn't update the app setting; the connection string is still the old key, so the app continues to fail.
-
95% fail
Overkill; loses all existing data and requires reconfiguring all connections, not just the Function App.
-
30% fail
Common user error; the setting appears updated but isn't persisted, leading to confusion.