# Microsoft.Azure.WebJobs.Extensions.Storage: The value for 'AzureWebJobsStorage' is missing or empty after key rotation - **ID:** `cloud/azure-function-app-storage-connection-string-rotation` - **Domain:** cloud - **Category:** config_error - **Error Code:** `Microsoft.Azure.WebJobs.Extensions.Storage` - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause Rotating the storage account access key for the Function App's default storage connection causes the 'AzureWebJobsStorage' app setting to become invalid, but the setting itself is not automatically updated by the rotation process. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Azure Functions: runtime >= 4.x | active | — | — | | Azure Storage: >= 2019-12-12 | active | — | — | | Azure Portal: latest | active | — | — | ## Workarounds 1. **Update the 'AzureWebJobsStorage' app setting in the Function App with the new storage account key. Use Azure CLI: 'az functionapp config appsettings set --name --resource-group --settings AzureWebJobsStorage="DefaultEndpointsProtocol=https;AccountName=;AccountKey=;EndpointSuffix=core.windows.net"'** (95% success) ``` Update the 'AzureWebJobsStorage' app setting in the Function App with the new storage account key. Use Azure CLI: 'az functionapp config appsettings set --name --resource-group --settings AzureWebJobsStorage="DefaultEndpointsProtocol=https;AccountName=;AccountKey=;EndpointSuffix=core.windows.net"' ``` 2. **Use managed identity instead of access keys for the storage connection; assign the 'Storage Blob Data Contributor' role to the Function App's system-assigned identity and set 'AzureWebJobsStorage__accountName' instead of the connection string.** (85% success) ``` Use managed identity instead of access keys for the storage connection; assign the 'Storage Blob Data Contributor' role to the Function App's system-assigned identity and set 'AzureWebJobsStorage__accountName' instead of the connection string. ``` ## Dead Ends - **** — Restarting doesn't update the app setting; the connection string is still the old key, so the app continues to fail. (80% fail) - **** — Overkill; loses all existing data and requires reconfiguring all connections, not just the Function App. (95% fail) - **** — Common user error; the setting appears updated but isn't persisted, leading to confusion. (30% fail)