Azure Function - securing access to storage account

Question

In my Azure function I'm using IBinder to write files to blob storage. I have connection string in AzureWebJobsStorage containing account name and key. I was planning to change this Function to use Managed Identity and use it to access storage account with it. But it seems that this connection string is used by Azure to store some Function data and I can't change it or remove it. So is there a point in assigning Managed Identity to this Function even if I will still have to keep this connection string?

public async Task<IActionResult> ReceiveEmail([HttpTrigger(AuthorizationLevel.Function, "post")]
     HttpRequestMessage req,
     IBinder binder,
     [ServiceBus("%responseQueueName%", Connection = "SbConnString")] ICollector<Message> outMessages)
     {
        ...
        using (var outputStream = await binder.BindAsync<Stream>(new BlobAttribute(emailFileLocation, FileAccess.Write)))
        {
            await inputStream.CopyToAsync(outputStream);
        }

Answer 1

Update:

using (var outputStream = await binder.BindAsync<Stream>(new BlobAttribute("test/20201023.txt", FileAccess.Write) { Connection="str"}))
{
      await req.Body.CopyToAsync(outputStream);
}
return new OkObjectResult("This is a test.");

str needs to set in environment variable.

On local, you need to set it in the Values section of local.settings.json:

{
    "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet",
    "str": "DefaultEndpointsProtocol=https;AccountName=0730bowmanwindow;AccountKey=xxxxxx;EndpointSuffix=core.windows.net"
  }
}
            

On azure, it needed to set in the configuration settings.

Original Answer:

Yes, AzureWebJobsStorage is a built-in needed value of azure function. It used for some of triggers running. When you deploy the function app to azure, it also be used to storage the data of the function app.

You must remain this value, otherwise the function app will broken.(You need this to store the function app files, the logs, and many things else.)

So is there a point in assigning Managed Identity to this Function even if I will still have to keep this connection string?

It still makes sense to use a hosting identity. Because the storage to be processed and the storage to store Function logs and files are not necessarily the same each time.

When we want to deal with storage, we always need to tell Azure that we have access to a certain resource. The function generally passes basic verification, that is, provides a connection string. This method is not safe because the connection string will be exposed in the code or configuration. MSI is a good way. When basic authentication is not used, we can use MSI to avoid explicitly storing the connection string in the code or configuration to ensure security.

AzureWebJobsStorage is a built-in value during design and must be provided. This is required for a function app. AzureWebJobsStorage has nothing to do with your use of MSI. Under normal circumstances, we may not visit the same storage. MSI allows us to obtain various permissions to the corresponding storage through the service principal and RBAC role.