0

Just for reference I am coming from AWS so any comparisons would be welcome.

I need to create a function which detects when a blob is placed into a storage container and then downloads the blob to perform some actions on the data in it.

I have created a storage account with a container in, and a function app with a python function in it. I have then set up a event grid topic and subscription so that blob creation events trigger the event. I can verify that this is working. This gives me the URL of the blob which looks something like https://<name>.blob.core.windows.net/<container>/<blob-name>. However then when I try to download this blob using BlobClient I get various errors about not having the correct authentication or key. Is there a way in which I can just allow the function to access the container in the same way that in AWS I would give a lambda an execution role with S3 permissions, or do I need to create some key to pass through somehow?

Edit: I need this to run ASAP when the blob is put in the container so as far as I can tell I need to use EventGrid triggers not the normal blob triggers

Improve this question
3
  • There are two choices: 1) Your function app can have an identity to which you assign RBAC roles. 2) You give a key giving access to the storage account to your function app. Commented Jan 24, 2023 at 15:18
  • are you using the Azure Python SDK? Did you configure your BlobClient with the correct connection string? Commented Jan 24, 2023 at 15:18
  • @Oxymoron yes using the azure python SDK, I have tried using the key from the storage account however that gave errors about incorrect hmac I believe so either there was something else I was missing or I used the wrong key? Commented Jan 24, 2023 at 15:27

2 Answers 2

Reset to default
2

I need to create a function which detects when a blob is placed into a storage container and then downloads the blob to perform some actions on the data in it.

This can be achieved by using an Azure Blob storage trigger for Azure Functions.

The Blob storage trigger starts a function when a new or updated blob is detected. The blob contents are provided as input to the function.

This last sentence, "The blob contents are provided as input to the function", means the blob can be an input parameter to the Function. This way, there's no (or less) need for you to download it manually.

Is there a way in which I can just allow the function to access the container in the same way that in AWS I would give a lambda an execution role with S3 permissions

Have a look at Using Managed Identity between Azure Functions and Azure Storage.

EDIT

I have understood correctly the normal blob trigger can have up to 10 minutes of delay?

This is correct, a Blob trigger could have up to 10 minutes of delay before it actually triggers the Function. The second part of the answer still stands, though.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

sorry I should specify I have to use event grid due to the timing constraints and if I have understood correctly the normal blob trigger can have up to 10 minutes of delay?
thank you I will take a look and get back to you
-1

The answer lied somewhere between @rickvdbosch's answer and Abdul's comment. I first had to assign an identity to the function giving it permission to access the storage account. Then I was able to use the azure.identity.DefaultAzureCredential class to automatically handle the credentials for the BlobClient

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.