1# Aspire + Azure Functions: Secret Storage Validation
2 
3> ⚠️ **Pre-provisioning check** — Run this BEFORE `azd provision`.
4 
5## When This Applies
6 
7This check is required when **all** of these are true:
8 
9| Condition | How to detect |
10|-----------|--------------|
11| .NET Aspire project | `*.AppHost.csproj` exists or `Aspire.Hosting` package reference |
12| Azure Functions component | `AddAzureFunctionsProject` call in `AppHost.cs` or `Program.cs` |
13| Identity-based storage | `WithHostStorage` call (Aspire default) |
14 
15## Detection
16 
17Search for `AddAzureFunctionsProject` in the AppHost source file(s):
18 
19```bash
20grep -rn "AddAzureFunctionsProject" . --include="*.cs"
21```
22 
23**PowerShell:**
24```powershell
25Get-ChildItem -Recurse -Filter "*.cs" | Select-String "AddAzureFunctionsProject" -List
26```
27 
28If found, check whether `AzureWebJobsSecretStorageType` is already configured in those same file(s):
29 
30```bash
31# Check only the AppHost file(s) that contain AddAzureFunctionsProject
32find . -name "*.cs" -path "*AppHost*" -print0 | xargs -0 grep -l "AddAzureFunctionsProject" 2>/dev/null | xargs grep -l "AzureWebJobsSecretStorageType"
33```
34 
35**PowerShell:**
36```powershell
37Get-ChildItem -Recurse -Filter "*.cs" |
38  Where-Object { $_.FullName -match "AppHost" } |
39  Select-String "AddAzureFunctionsProject" -List |
40  ForEach-Object { Select-String "AzureWebJobsSecretStorageType" -Path $_.Path }
41```
42 
43**If `AddAzureFunctionsProject` is present but `AzureWebJobsSecretStorageType` is NOT configured in the same file → fix is required.**
44 
45## Fix
46 
47Add `.WithEnvironment("AzureWebJobsSecretStorageType", "Files")` to the Azure Functions project builder chain in the AppHost source file that contains the `AddAzureFunctionsProject` call (often `Program.cs` in the `*.AppHost` project).
48 
49### Before
50 
51```csharp
52var functions = builder.AddAzureFunctionsProject<Projects.MyFunctions>("functions")
53    .WithHostStorage(storage)
54    .WithReference(queues);
55```
56 
57### After
58 
59```csharp
60var functions = builder.AddAzureFunctionsProject<Projects.MyFunctions>("functions")
61    .WithHostStorage(storage)
62    .WithEnvironment("AzureWebJobsSecretStorageType", "Files")
63    .WithReference(queues);
64```
65 
66> 💡 **Tip:** Place `.WithEnvironment(...)` immediately after `.WithHostStorage(...)` for clarity.
67 
68## Why This Is Required
69 
70Azure Functions needs storage for managing host secrets/keys (function keys, host keys, master key). By default, it stores them as blobs in the `AzureWebJobsStorage` account.
71 
72When Aspire configures identity-based storage access (via `WithHostStorage`), it sets URI-based environment variables like `AzureWebJobsStorage__blobServiceUri` instead of a connection string. The Functions runtime's secret manager does **not** support these identity-based URIs — it requires either a connection string or SAS token.
73 
74Setting `AzureWebJobsSecretStorageType=Files` switches the Functions host to file-system-based key storage, bypassing the blob storage dependency for secrets.
75 
76## Error Without This Setting
77 
78```
79System.InvalidOperationException: Secret initialization from Blob storage failed
80due to missing both an Azure Storage connection string and a SAS connection URI.
81For Blob Storage, please provide at least one of these.
82```
83 
84## When This Check Does NOT Apply
85 
86| Scenario | Why |
87|----------|-----|
88| Aspire project without Azure Functions | No Functions secret manager involved |
89| Standalone Azure Functions (not Aspire) | Uses connection string by default |
90| Functions with explicit connection string | `AzureWebJobsStorage` is a full connection string, not identity-based |
91| `AzureWebJobsSecretStorageType` already set | Configuration is already present |
92