Microsoft.Azure.WebJobs.Extensions.Storage:密钥轮换后 'AzureWebJobsStorage' 的值缺失或为空
Microsoft.Azure.WebJobs.Extensions.Storage: The value for 'AzureWebJobsStorage' is missing or empty after key rotation
ID: cloud/azure-function-app-storage-connection-string-rotation
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Azure Functions: runtime >= 4.x | active | — | — | — |
| Azure Storage: >= 2019-12-12 | active | — | — | — |
| Azure Portal: latest | active | — | — | — |
根因分析
轮换 Function App 默认存储连接的存储帐户访问密钥会导致 'AzureWebJobsStorage' 应用程序设置失效,但轮换过程不会自动更新该设置。
English
Rotating the storage account access key for the Function App's default storage connection causes the 'AzureWebJobsStorage' app setting to become invalid, but the setting itself is not automatically updated by the rotation process.
官方文档
https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#azurewebjobsstorage解决方案
-
Update the 'AzureWebJobsStorage' app setting in the Function App with the new storage account key. Use Azure CLI: 'az functionapp config appsettings set --name <function-app-name> --resource-group <rg> --settings AzureWebJobsStorage="DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<new-key>;EndpointSuffix=core.windows.net"'
-
Use managed identity instead of access keys for the storage connection; assign the 'Storage Blob Data Contributor' role to the Function App's system-assigned identity and set 'AzureWebJobsStorage__accountName' instead of the connection string.
无效尝试
常见但无效的做法:
-
80% 失败
Restarting doesn't update the app setting; the connection string is still the old key, so the app continues to fail.
-
95% 失败
Overkill; loses all existing data and requires reconfiguring all connections, not just the Function App.
-
30% 失败
Common user error; the setting appears updated but isn't persisted, leading to confusion.