Azure functions key vault app settings not working

2
votes

What am I doing wrong trying to set the following in my Functions v2 app settings.

@Microsoft.KeyVault(SecretUri=<uri>)

Reading this inside the function I get the full string out and not the connection string from the key vault as I expected.

var config = new ConfigurationBuilder()
                .SetBasePath(context.FunctionAppDirectory)
                .AddJsonFile("local.settings.json", optional: true, reloadOnChange: true)
                .AddEnvironmentVariables()
                .Build();

var value = config["cstring"];
var connectionString = Environment.GetEnvironmentVariable("cstring");

log.Info(value); // Prints "@Microsoft.KeyVault(SecretUri=<uri>)"
log.Info(connectionString); // Prints "@Microsoft.KeyVault(SecretUri=<uri>)"

Do I need to take more steps?

The function as an MSI which has access to the key vault.

Multiple tutorials online make this seem so easy and working out of the box.

2
azureazure-functionsazure-keyvault
have a look at github.com/MicrosoftDocs/azure-docs/issues/19690Roman Kiss

2 Answers

3
votes

After enabling the MSI for Azure Function, I went into my key vault and added an access policy so my Azure Function app had permissions to read secrets. The feature should work for all versions of Azure Functions hosted in Azure. It will not work locally.

So go to your azure Key Vault and add the MSI principle to it and give the Get permission to secret.

enter image description here

For more details, you could refer to this article and this issue.

0
votes

Let me extend with an addition Joey Cai's answer which was really helpful and saved my day last time.

In application settings I have used the following settings:

{
    "name": "asset_name",
    "value": "@Microsoft.KeyVault(SecretUri=[KEY_VAULT_URL])",
    "slotSetting": false
}

Few months ago after enabling MSI and waiting option just worked fine on my end but today I needed to additionally restart the Azure Function after several hours - approximately half day - which helped to resolving the value for settings below:

@Microsoft.KeyVault(SecretUri=[KEY_VAULT_URL])

After all the configuration just worked fine to pick the value up from the created key vault.

For enabling MSI in the developed Azure Function:

  1. Go to Platform Features' Networking section Identity:

    Network - Identity

  2. Then turn on the status for system or assigned identity:

    MSI - Enable

I hope this helps whoever is struggling with the same issue next time, just like me. :)