{
  "id": "cloud/azure-function-app-storage-connection-string-rotation",
  "signature": "Microsoft.Azure.WebJobs.Extensions.Storage: The value for 'AzureWebJobsStorage' is missing or empty after key rotation",
  "signature_zh": "Microsoft.Azure.WebJobs.Extensions.Storage：密钥轮换后 'AzureWebJobsStorage' 的值缺失或为空",
  "regex": "AzureWebJobsStorage.*missing or empty|Storage.*key rotation.*Function",
  "domain": "cloud",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "Rotating the storage account access key for the Function App's default storage connection causes the 'AzureWebJobsStorage' app setting to become invalid, but the setting itself is not automatically updated by the rotation process.",
  "root_cause_type": "generic",
  "root_cause_zh": "轮换 Function App 默认存储连接的存储帐户访问密钥会导致 'AzureWebJobsStorage' 应用程序设置失效，但轮换过程不会自动更新该设置。",
  "versions": [
    {
      "version": "Azure Functions: runtime >= 4.x",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Azure Storage: >= 2019-12-12",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Azure Portal: latest",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Restarting doesn't update the app setting; the connection string is still the old key, so the app continues to fail.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Overkill; loses all existing data and requires reconfiguring all connections, not just the Function App.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Common user error; the setting appears updated but isn't persisted, leading to confusion.",
      "fail_rate": 0.3,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Update the 'AzureWebJobsStorage' app setting in the Function App with the new storage account key. Use Azure CLI: 'az functionapp config appsettings set --name <function-app-name> --resource-group <rg> --settings AzureWebJobsStorage=\"DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<new-key>;EndpointSuffix=core.windows.net\"'",
      "success_rate": 0.95,
      "how": "Update the 'AzureWebJobsStorage' app setting in the Function App with the new storage account key. Use Azure CLI: 'az functionapp config appsettings set --name <function-app-name> --resource-group <rg> --settings AzureWebJobsStorage=\"DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<new-key>;EndpointSuffix=core.windows.net\"'",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use managed identity instead of access keys for the storage connection; assign the 'Storage Blob Data Contributor' role to the Function App's system-assigned identity and set 'AzureWebJobsStorage__accountName' instead of the connection string.",
      "success_rate": 0.85,
      "how": "Use managed identity instead of access keys for the storage connection; assign the 'Storage Blob Data Contributor' role to the Function App's system-assigned identity and set 'AzureWebJobsStorage__accountName' instead of the connection string.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Update the 'AzureWebJobsStorage' app setting in the Function App with the new storage account key. Use Azure CLI: 'az functionapp config appsettings set --name <function-app-name> --resource-group <rg> --settings AzureWebJobsStorage=\"DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<new-key>;EndpointSuffix=core.windows.net\"'",
    "Use managed identity instead of access keys for the storage connection; assign the 'Storage Blob Data Contributor' role to the Function App's system-assigned identity and set 'AzureWebJobsStorage__accountName' instead of the connection string."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#azurewebjobsstorage",
  "official_doc_section": null,
  "error_code": "Microsoft.Azure.WebJobs.Extensions.Storage",
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.9,
  "resolvable": "true",
  "first_seen": "2023-12-05",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}