3
votes

I have a Function App with Managed service identity (MSI) enabled.

I'm trying to use this Function App to access a secret from my Key Vault.

I have added the code into my Function App to retrieve the secret.

AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();

var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

var secret = await keyVaultClient.GetSecretAsync("https://test-prototype-vault.vault.azure.net/secrets/batman/guidhere").ConfigureAwait(false);

I receive the following error:

Microsoft.Azure.WebJobs.Script: One or more errors occurred. Microsoft.Azure.KeyVault: Access denied.

I think this is because I need to (as described in the link above).

You may need to configure the target resource to allow access from your application. For example, if you request a token to Key Vault, you need to make sure you have added an access policy that includes your application's identity.

I don't know how to do that. I have gone to my Key Vault and tried to add an Access Policy - I can't find the application to Select Principle option.


Setup of Azure Function.

enter image description here

What happens when I try to add the principal.

enter image description here

1

1 Answers

4
votes

This blog has details but you need to go into key vault and give the function app access to secrets in a new access policy

https://medium.com/@jeffhollan/getting-key-vault-secrets-in-azure-functions-37620fd20a0b

The name of your function app should show in list of users