This is going to be a sweet and short blog post on programmatically setting up a System-Assigned Managed Identity on an Azure Function App and assigning the appropriate permissions.
On an authenticated PowerShell session - I love to use Cloud Shell, either on my Windows Terminal or in the Azure Portal, type the following:
Update-AzFunctionApp -Name <YourFunctionAppName> -ResourceGroupName <YourResourceGroup> -IdentityType SystemAssigned Connect-AzureAD $managedIdentityId = (Get-AzureADServicePrincipal -SearchString '<yourFunctionAppName>').ObjectId New-AzRoleAssignment -ObjectId $managedIdentityId -RoleDefinitionName "Contributor" -Scope "/subscriptions/<YourSubscriptionId"
What does this script do? Let's take it step by step
First we configure the Azure Function App to use a Managed Identity
Next, we retrieve the Managed Identity
ObjectID. This is required by the next statement so that we can assign the appropriate RBAC role. The last line assigns the Contributor role to the Managed Identity with the Subscription being the scope. You can reduce scope to a resource group or specific resources instead if that's what you need.
Reminder: System-Assigned Managed Identities are tied to the Resource that were created. As such, if that resource gets deleted, the Managed Identity will deleted with it
As promised, short and sweet