Managed Identity¶
Use system-assigned managed identity for passwordless access to Azure resources from functions.
flowchart TD
A[Trigger] --> B[Function]
B --> C[Binding or SDK]
C --> D[Azure service]How RBAC Connects Identity to Resources¶
A managed identity alone does not grant access. Azure RBAC binds three elements into a role assignment:
flowchart TD
P[Principal<br/>Who: Managed Identity or Service Principal] --> RA[Role Assignment<br/>Unique GUID per binding]
RD[Role Definition<br/>What: Storage Blob Data Owner, Key Vault Secrets User, etc.] --> RA
S[Scope<br/>Where: Subscription, Resource Group, or Resource] --> RA
RA --> ACCESS[Access Granted]
style RA fill:#f5c542,stroke:#333,color:#000| Element | Question it answers | Example |
|---|---|---|
| Principal | Who needs access? | Function app's managed identity |
| Role Definition | What permission? | Storage Blob Data Owner, Key Vault Secrets User |
| Scope | On which resource? | A specific Storage account, Key Vault, or resource group |
| Role Assignment | The binding itself | Unique GUID — one per (principal + role + scope) combination |
Azure RBAC enforces a uniqueness constraint: only one role assignment can exist for the same (principal, role definition, scope) triple. Attempting to create a duplicate with a different assignment GUID results in a RoleAssignmentExists conflict.
Topic/Command Groups¶
Enable identity¶
| CLI element | Explanation |
|---|---|
| Command(s) | az functionapp identity assign |
| Key flags | --name, --resource-group |
| Variables | $APP_NAME, $RG |
| Expected result | Azure CLI applies the configuration change; confirm the returned JSON or follow-up query shows the expected value. |
Access Storage SDK with DefaultAzureCredential¶
var credential = new DefaultAzureCredential();
var blobService = new BlobServiceClient(new Uri($"https://{storageName}.blob.core.windows.net"), credential);