Post
Ask Question

Access Key Vault Secret In Function App

Introduction

This article is about how to reference a secret value from key vault into a Function App in the Azure Portal

Description

Generally in local development, we refer the secret value from the key vault using Nuget package manager and place it in appsettings.json or some other JSON file but for security reasons, it is not recommended to place it in JSON file instead refer it from configuration in azure portal. In this blog, we will see how to refer a secret from key vault into a function app.

Steps

  • Publish the function app in Azure portal
  • Generally, when referring key value pairs from configuration, the configuration added in launchSettings.json file is picked up in local development whereas in production or when running function app in azure portal, if we want to access the configuration value from key vault, Please follow the below steps.
     
    • Navigate to the Function App in Azure Portal and search for Identity, Select identity from left
    • There will be two tabs on right, System Assigned and User Assigned. Select System Assigned
    • Enable the Status to ON, This will enable the System assigned manage identity. Click on Save
    • Click Yes on Enable system Assigned managed Identity. Now your FunctionApp is registered with Azure Active Directory. This allows your FunctionApp to access resources protected by Azure Active Directory. Now resources like key vault can be accessed from this azure function app.
    • At this point, a unique ID is assigned to the function app. Copy the Object (principal) ID
    • Navigate to KeyVault in Azure portal. Select Access Policies -> Add Access Policy -> From the Secret Permissions list -> Select "GET" and "LIST"
    • Click on none selected beside the Select principal text
    • In Select a principal window on right. Paste the ID of the function app which we have selected in step e. or type the name of the function app which needs access to key vault
    • Click on Select -> Select Add. This will add 2 secret permissions to the KeyVault
    • Now navigate to the KeyVault secret that you want to access in the Function App
    • Select the secret -> tap the Current Version -> Copy the secret identifier mentioned something like https://xxxx.vault.azure.net/secrets/secretname/id
    • Navigate back to the function app -> Type configuration in search box -> New Application Setting -> Add the same name which is same as in your local configuration file -> Type the value as @Microsoft.KeyVault(SecretUri=https://xxxx.vault.azure.net/secrets/secretname/id)

Note
Here, replace the secretUri value with the secret identifier we have copied in the second last step. Click on OK. If everything is right, then a Green correct symbol is displayed next to the value.