in-process blocked by CLI bugs in Cloud Shell

ggailey777 · ggailey777 · commit 54b61f1b0646 · 2025-02-23T09:59:36.000-08:00
diff --git a/articles/azure-functions/create-first-function-cli-csharp.md b/articles/azure-functions/create-first-function-cli-csharp.md
@@ -27,10 +27,12 @@ Before you begin, you must have the following:
 
 + One of the following tools for creating Azure resources:
 
-    + [Azure CLI](/cli/azure/install-azure-cli) [version 2.4](/cli/azure/release-notes-azure-cli#april-21-2020) or later.
+    + [Azure CLI](/cli/azure/install-azure-cli) [version 2.60](/cli/azure/release-notes-azure-cli#november-05-2024) or later.
 
     + The Azure [Az PowerShell module](/powershell/azure/install-azure-powershell) version 5.9.0 or later.
 
++ The [`jq` command line JSON processor](https://jqlang.org/download/), used to parse JSON output, and is also available in Azure Cloud Shell.
+
 You also need an Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio).
 
 [!INCLUDE [functions-install-core-tools](../../includes/functions-install-core-tools.md)]
@@ -133,19 +135,20 @@ To learn more, see [Azure Functions HTTP triggers and bindings](./functions-bind
 
 1. When you're done, use **Ctrl**+**C** and choose `y` to stop the functions host.
 
-[!INCLUDE [functions-create-azure-resources-cli](../../includes/functions-create-azure-resources-cli.md)]
+[!INCLUDE [functions-create-azure-resources-cli](../../includes/functions-create-azure-resources-flex-cli.md)]
 
 4. Create the function app in Azure:
-
-    # [Azure CLI](#tab/azure-cli)
-
+    <!---Replace tabs when PowerShell cmdlets support Flex Consumption plans.
+    ### [Azure CLI](#tab/azure-cli)
+    -->
     ```azurecli
-    az functionapp create --resource-group AzureFunctionsQuickstart-rg --consumption-plan-location <REGION> --runtime dotnet-isolated --functions-version 4 --name <APP_NAME> --storage-account <STORAGE_NAME>
+    userId=$(az identity show --name func-host-storage-user --resource-group AzureFunctionsQuickstart-rg --query 'id' -o tsv)
+    az functionapp create --resource-group AzureFunctionsQuickstart-rg --flexconsumption-location <REGION> --runtime dotnet-isolated --runtime-version 8.0 --assign-identity $userId --deployment-storage-auth-type UserAssignedIdentity --deployment-storage-auth-value $userId  --name <APP_NAME> --storage-account <STORAGE_NAME>
     ```
 
     The [az functionapp create](/cli/azure/functionapp#az-functionapp-create) command creates the function app in Azure.
-
-    # [Azure PowerShell](#tab/azure-powershell)
+    <!---
+    ### [Azure PowerShell](#tab/azure-powershell)
 
     ```azurepowershell
     New-AzFunctionApp -Name <APP_NAME> -ResourceGroupName AzureFunctionsQuickstart-rg -StorageAccount <STORAGE_NAME> -Runtime dotnet-isolated -FunctionsVersion 4 -Location '<REGION>'
@@ -154,10 +157,31 @@ To learn more, see [Azure Functions HTTP triggers and bindings](./functions-bind
     The [New-AzFunctionApp](/powershell/module/az.functions/new-azfunctionapp) cmdlet creates the function app in Azure.
 
     ---
+    -->
+    In this example, replace `<STORAGE_NAME>` with the name of the account you used in the previous step, replace `<REGION>` with your region, and replace `<APP_NAME>` with a globally unique name appropriate to you. The `<APP_NAME>` is also the default DNS domain for the function app.
+
+    This command creates a function app running in your specified language runtime on Linux in the [Flex Consumption Plan](flex-consumption-plan.md), which is free for the amount of usage you incur here. The command also creates an associated Azure Application Insights instance in the same resource group, with which you can monitor your function app and view logs. For more information, see [Monitor Azure Functions](functions-monitoring.md). The instance incurs no costs until you activate it.
+
+## Update application settings
+
+To enable the Functions host to connect to the default storage account using shared secrets, you must replace the `AzureWebJobsStorage` connection string setting with an equivalent setting that uses the user-assigned managed identity to connect to the storage account.
 
-    In the previous example, replace `<STORAGE_NAME>` with the name of the account you used in the previous step, and replace `<APP_NAME>` with a globally unique name appropriate to you. The `<APP_NAME>` is also the default DNS domain for the function app.
+1. Remove the existing `AzureWebJobsStorage` connection string setting:
 
-    This command creates a function app running in your specified language runtime under the [Azure Functions Consumption Plan](consumption-plan.md), which is free for the amount of usage you incur here. The command also creates an associated Azure Application Insights instance in the same resource group, with which you can monitor your function app and view logs. For more information, see [Monitor Azure Functions](functions-monitoring.md). The instance incurs no costs until you activate it.
+    ```azurecli    
+    az functionapp config appsettings delete --name `<APP_NAME>` --resource-group AzureFunctionsQuickstart-rg --setting-names AzureWebJobsStorage 
+    ```
+
+    The [az functionapp config appsettings delete](/cli/azure/functionapp/config/appsettings#az-functionapp-config-appsettings-delete) command removes this setting from your app.
+
+1. Add equivalent settings, with an `AzureWebJobsStorage__` prefix, that define a user-assigned managed identity connection to the default storage account:
+ 
+    ```azurecli
+    clientId=$(az identity show --name func-host-storage-user --resource-group AzureFunctionsQuickstart-rg --query 'clientId' -o tsv)
+    az functionapp config appsettings set --name `<APP_NAME>` --resource-group AzureFunctionsQuickstart-rg --settings AzureWebJobsStorage__accountName=<STORAGE_NAME> AzureWebJobsStorage__credential=managedidentity AzureWebJobsStorage__clientId=$clientId
+    ```
+     
+At this point, the Functions host is able to connect to the storage account securely using managed identities. You can now deploy your project code to the Azure resources
 
 [!INCLUDE [functions-publish-project-cli](../../includes/functions-publish-project-cli.md)]
 
diff --git a/includes/functions-create-azure-resources-flex-cli.md b/includes/functions-create-azure-resources-flex-cli.md
@@ -0,0 +1,106 @@
+---
+author: ggailey777
+ms.service: azure-functions
+ms.topic: include
+ms.date: 11/16/2024
+ms.author: glenga
+---
+
+## Create supporting Azure resources for your function
+
+Before you can deploy your function code to Azure, you need to create these resources:
+
+- A [resource group](../articles/azure-resource-manager/management/overview.md), which is a logical container for related resources.
+- A default [Storage account](../articles/storage/common/storage-account-create.md), which is used by the Functions host to maintain state and other information about your functions. 
+- A [user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview), which the Functions host uses to connect to the default storage account.
+- A function app, which provides the environment for executing your function code. A function app maps to your local function project and lets you group functions as a logical unit for easier management, deployment, and sharing of resources.
+
+Use the following commands to create these items. Both Azure CLI and PowerShell are supported.
+
+1. If you haven't done so already, sign in to Azure:
+
+    <!---Replace the PowerShell examples after we get the Flex support in the Functions cmdlets. 
+    ### [Azure CLI](#tab/azure-cli)-->
+
+    ```azurecli
+    az login
+    ```
+
+    The [az login](/cli/azure/reference-index#az-login) command signs you into your Azure account.
+    <!---
+    ### [Azure PowerShell](#tab/azure-powershell) 
+    ```azurepowershell
+    Connect-AzAccount
+    ```
+
+    The [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet signs you into your Azure account.
+
+    ---
+    -->
+
+1. Create a resource group named `AzureFunctionsQuickstart-rg` in your chosen region:
+    <!---
+    ### [Azure CLI](#tab/azure-cli)-->
+    
+    ```azurecli
+    az group create --name AzureFunctionsQuickstart-rg --location <REGION>
+    ```
+ 
+    The [az group create](/cli/azure/group#az-group-create) command creates a resource group. In the above command, replace `<REGION>` with a region near you that supports the Flex Consumption plan. Use an available region code returned from the [az functionapp list-flexconsumption-locations](/cli/azure/functionapp#az-functionapp-list-flexconsumption-locations) command.
+    <!---
+    ### [Azure PowerShell](#tab/azure-powershell)
+
+    ```azurepowershell
+    New-AzResourceGroup -Name AzureFunctionsQuickstart-rg -Location <REGION>
+    ```
+
+    The [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) command creates a resource group. You generally create your resource group and resources in a region near you, using an available region returned from the [Get-AzLocation](/powershell/module/az.resources/get-azlocation) cmdlet.
+
+    ---
+    -->
+
+1. Create a general-purpose storage account in your resource group and region:
+    <!---
+    ### [Azure CLI](#tab/azure-cli)
+    -->
+    ```azurecli
+    az storage account create --resource-group AzureFunctionsQuickstart-rg --sku Standard_LRS --allow-blob-public-access false --allow-shared-key-access false --name <STORAGE_NAME> --location <REGION> 
+    ```
+
+    This [az storage account create](/cli/azure/storage/account#az-storage-account-create) command creates a storage account. 
+    <!---
+    ### [Azure PowerShell](#tab/azure-powershell)
+
+    ```azurepowershell
+    New-AzStorageAccount -ResourceGroupName AzureFunctionsQuickstart-rg -Name <STORAGE_NAME> -SkuName Standard_LRS -Location <REGION> -AllowBlobPublicAccess $false
+    ```
+
+    The [New-AzStorageAccount](/powershell/module/az.storage/new-azstorageaccount) cmdlet creates the storage account.
+
+    ---
+    -->
+    In this example, replace `<STORAGE_NAME>` with a name that is appropriate to you and unique in Azure Storage. Names must contain three to 24 characters numbers and lowercase letters only. `Standard_LRS` specifies a general-purpose account, which is [supported by Functions](../articles/azure-functions/storage-considerations.md#storage-account-requirements). This new account can only be accessed by using Micrososft Entra-authenticated identities that have been granted permissions to specific resources. 
+
+1. Create a user-assigned managed identity, then capture and parse the returned JSON properties of the object using `jq`: 
+
+    ```azurecli
+    # Create a user-assigned managed identity.
+    output=$(az identity create --name func-host-storage-user --resource-group AzureFunctionsQuickstart-rg --location <REGION> --query "{userId:id, principalId: principalId, clientId: clientId}" -o json)
+    
+    # Use jq to parse the JSON and assign the properties to variables.
+    userId=$(echo $output | jq -r '.userId')
+    principalId=$(echo $output | jq -r '.principalId')
+    clientId=$(echo $output | jq -r '.clientId')
+    ```
+
+    If you don't have the `jq` utility in your local Bash shell, it's available in Azure Cloud Shell. The [az identity create](/cli/azure/identity#az-identity-create) command creates a new identity in the resource group named `func-host-storage-user`. The returned `principalId` is used to assign permissions to this new identity in the default storage account by using the [`az role assignment create`](/cli/azure/role/assignment#az-role-assignment-create) command. The [`az storage account show`](/cli/azure/storage/account#az-storage-account-show) command is used to obtain the storage account ID. 
+
+1. Grant to the new identity the required access in the default storage account by using the built-in `Storage Blob Data Owner` role:
+
+    ```azurecli
+    # Get the storage ID and create a role assignment (Storage Blob Data Owner) for the UAMI in storage.
+    storageId=$(az storage account show --resource-group AzureFunctionsQuickstart-rg --name <STORAGE_NAME> --query 'id' -o tsv)
+    az role assignment create --assignee-object-id $principalId --assignee-principal-type ServicePrincipal --role "Storage Blob Data Owner" --scope $storageId
+    ```
+
+    In this example, replace `<STORAGE_NAME>` and `<REGION>` with your default storage account name and region, respectively. 
