Recently I was setting up a test environment in Azure which consists of web apps, function apps, SQL databases and its all fully private networked etc and I couldnt get my function apps to work.
I was seeing this error that the keys wouldnt load.
I had a few suspicions but wanted to make a few notes on the troubleshooting steps incase it helps others.
Troubleshooting
1) Is the function app running
For me this is the first think to check so you understand the basics. Browse to the url for the function app.
In my case yes its up and running as I can see in the screen below. This is weird as I expected this would be broken.
2) Is my networking configured and working
In my networking blade for the function app, everything looks good. I have outbound vnet configured and an inbound private endpoint.
3) Network Troubleshooter in Diagnostics
In Web Apps the network troubleshooter is better than it is for function apps which is little note for the function apps team to improve this, but I am not getting any issues reported here.
4) Check Storage Private Endpoint
I can see my private endpoint is configured fine
5) Check DNS for Storage
I checked my private DNS zone and I have appropriate records for the storage endpoints with the private ip address registered.
6) Check App Insights
Id been struggling by this point as the networking all looks fine. I checked App Insights and I can see there is an error reading the triggers and accessing the blob secrets.
traces
| order by timestamp desc 
OMG Moment
At this point it suddenly occurred to me the obvious problem. The networking is fine and id focused on that too much because thats the complicated bit. In reality the problem wasnt networking its security. Id setup my function apps to run from package from the storage account and use managed identity to access storage over the private VNET. All of the correct settings were in place for this but I hadnt given the user assigned managed identity access to the storage account.
Solution
The solution was to make my Bicep script deploy the below roles for my user assigned managed identity. In reality in my case I think it only needs the storage blog data owner, but depending on the function features I use ill probably need the others in due course so Ill add them now.
- ‘Storage Account Contributor’
- ‘Storage Blob Data Owner’
- ‘Storage File Data Privileged Contributor’
- ‘Storage Queue Data Contributor’
- ‘Storage Table Data Contributor’
After making this change the Function App host keys now load fine.
