1
votes

I am trying to access key vault secret from Timer Triggered Powershell Azure function app using the below steps.

  1. Created TimerTrigger Powershell Function app.
  2. Registered function app with AD app in Express Mode.
  3. Enabled Managed Service Identity in function App.
  4. Created KeyVault in the same resource group and added function app under keyvault accesspolicies .
  5. Created a new secret under keyvault secrets.
  6. Used below code to access keyvault in function app.

    $NewTestSecret = Get-AzureKeyVaultSecret -VaultName FunctionAppTestKeyVault -Name TestSecret
    
    $NewTestSecretVaule = $NewTestSecret.SecretValueText
    
    Write-Output $NewTestSecretVaule
    

Getting the below errors.Not sure what additional steps I am missing. Any responses are really appreciated.

CategoryInfo : InvalidOperation: (:)

[Get-AzureKeyVaultSecret], PSInvalidOperationException

FullyQualifiedErrorId : InvalidOperation,Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret 2018-04-14T17:45:00.709 [Error] Exception while executing function: Functions.TimerTriggerTestPowershell1. Microsoft.Azure.WebJobs.Script: PowerShell script error. Microsoft.Azure.Commands.ResourceManager.Common: Run Login-AzureRmAccount to login.

2
Error says you need to login using Login-AzureRmAccount. Have you done that?Shawn Tabrizi

2 Answers

1
votes

I am trying to access key vault secret from Timer Triggered Powershell Azure function app using the below steps.

If you want to use Get-AzureKeyVaultSecret command, you need to Login-AzureRmAccount before that.

By default, Login-AzureRmAccount does an interactive login, which won't work in an Azure Function. Instead, you'll need to log in using a Service Principal, e.g.

Connect-AzureRmAccount -ServicePrincipal -ApplicationId  "http://my-app" -Credential $pscredential -TenantId $tenantid

You could get more info from here. You also need to authorize the application to use the key or secret.

Another way:

You also could use the MSI function to do that. We could get the access code from this document. You also need the add the permisson to let azure function to access the keyvault. For more detail steps, you could refer to this guide.

Demo code:

$vaultName = "Your key vault name" 
$vaultSecretName = "your scecretname "

$tokenAuthURI = $Env:MSI_ENDPOINT + "?resource=https://vault.azure.net&api-version=2017-09-01"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token

$headers = @{ 'Authorization' = "Bearer $accessToken" }
$queryUrl = "https://$vaultName.vault.azure.net/secrets/" +$vaultSecretName + "?api-version=2016-10-01"

$keyResponse = Invoke-RestMethod -Method GET -Uri $queryUrl -Headers $headers

enter image description here

1
votes

Thank you all for the reponses. Along with implementing MSI in function app , I used below code to get the keyvault secret from Powershell function app using a thumbprint certificate.

Add-AzureRmAccount -CertificateThumbprint "***********" -Tenant "*********" 
-ServicePrincipal -ApplicationId "**********"

$secret = Get-AzureKeyVaultSecret -VaultName "testkeyvault" -Name 
         "testSecret"

Write-Output $secret.SecretValueText

Also WEBSITE_LOAD_CERTIFICATES appsetting has to be added under application settings in order to load the certificates into function app.