How to troubleshoot Azure Storage Blob issues

[pejuborg]

When deploying a flex consumption app I get the following error

Created blob uri: https://xxx.blob.core.windows.net/app-package-xxx/released-package.zip
Token Endpoint: http://169.254.255.2:8081/msi/token?api-version=1.0&resource=https://xxx.blob.core.windows.net
Received Token using system assigned identity
Failed to upload because Azure Storage responded with Forbidden : Response status code does not indicate success: 403 (This request is not authorized to perform this operation.)..
Failed to upload blob package to storage account with Error: Response status code does not indicate success: 403 (This request is not authorized to perform this operation.).
Azure.Functions.Cli.Common.CliException: The deployment failed, Please check the printed logs.
   at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.PerformFlexDeployment(Site functionApp, Func`1 zipFileFactory, Func`2 deploymentStatusPollTask, IDictionary`2 deploymentParameters) in D:\a\_work\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 844
   at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.HandleFlexConsumptionPublish(Site functionApp, Func`1 zipFileFactory) in D:\a\_work\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 801
   at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.PublishFunctionApp(Site functionApp, GitIgnoreParser ignoreParser, IDictionary`2 additionalAppSettings) in D:\a\_work\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 584
   at Azure.Functions.Cli.Actions.AzureActions.PublishFunctionAppAction.RunAsync() in D:\a\_work\1\s\src\Azure.Functions.Cli\Actions\AzureActions\PublishFunctionAppAction.cs:line 239
   at Azure.Functions.Cli.ConsoleApp.RunAsync[T](String[] args, IContainer container) in D:\a\_work\1\s\src\Azure.Functions.Cli\ConsoleApp.cs:line 63

How do I troubleshoot this error? Where are the printed logs mentioned in the error?

I the Storage Blob Log I can see that I get an "AuthorizationError" when attempting to store the zip-file in the blob, I can see the object id from the managed identity I've configured, but I don't understand why it fails, the identity has been granted the role "Storage Blob Contributor" on the storage account level.

Any pointers are welcome.

[MeesvanStraten]

Same problem and situation here, MI correctly configured with RBAC roles and receiving the same errors.

[pejuborg]

Same problem and situation here, MI correctly configured with RBAC roles and receiving the same errors.

I may have resolved my issue.
My storage account is configured with disabled public access and access key access.
So, what I did to make this work is this:

• Create a VNET/Subnet that is delegated to Microsoft.App/environment
• Add that to the network configuration on my Storage Account
• Deploy my Flex Consumption App
• Configure the identity of the app to use a System Assigned Managed Identity
• Grant the MSI the Storage Blob Contributor role on the storage account
• Verify that the deployment setting for the app is configured to use the MSI
• Change the environment variable from AzureWebJobsStorage to AzureWebJobsStorage__accountName

I'm writing this from memory so it may be in the wrong order, or some other mental bug may have snuck in.

Kudos to Vlad for this blog entry: here it helped quite a bit.

However, some more troubleshooting options would be great to have. Maybe an option to display which options the func azure functionapp publish command will attempt to connect with.