Azure functions Key Vault

3
votes

As I understand, so long as I setup grants to KeyVault, my function should be able to read from it by using

@Microsoft.KeyVault(SecretUri=MYSECRETFULLURL), and I assume this would be transformed at run-time?

Any idea how I would debug this?

Currently, as thats getting to my function, is the above, with nothing transformed.

Running as system-managed.

If I debug, this is all I get:

enter image description here

However I can see my audit on azure key vault its being hit. enter image description here

 public static async Task<IActionResult> Run(
            [HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
            ILogger log)
        {
            var accountToMoveFrom = System.Environment.GetEnvironmentVariable("accountToMonitor");
            log.LogCritical(accountToMoveFrom);
            var accessToken = System.Environment.GetEnvironmentVariable("accessToken");

}
1
azureazure-functionsazure-keyvault

1 Answers

2
votes

Adding the final resolution:

Make sure you do not have the "authorized application" or applicationId settings configured.

From the documentation

Create an access policy in Key Vault for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or applicationId settings, as this is not compatible with a managed identity.

Note: Does your code actually work? Logging the value of a key is intercepted and is displayed as

@Microsoft.KeyVault(SecretUri=MYSECRETFULLURL)

in logs to avoid sensitive configuration from KeyVault ending up in log files that may reach a wider audience.

It works fine as per the docs (extract below), also double check you have:

  • Managed Service Identity (MSI) configured on the function app
  • Restarted your function app after adding the function's app setting
  • The function's MSI is given access to to the relevant KeyVault, not to the Management Plane but on the Access Policies.

enter image description here

  • If you are running/debugging locally in Visual Studio, you need to give the account signed in to Visual Studio rights on the Key Vault since because it is the identity presented.

Sourcing Application Settings from Key Vault The Key Vault references feature makes it so that your app can work as if it were using App Settings as they have been, meaning no code changes are required. You can get all of the details from our Key Vault reference documentation, but I’ll outline the basics here.

This feature requires a system-assigned managed identity for your app. Later in this post I’ll be talking about user-assigned identities, but we’re keeping these previews separate for now.

You’ll then need to configure an access policy on your Key Vault which gives your application the GET permission for secrets. Learn how to configure an access policy.

Lastly, set the value of any application setting to a reference of the following format:

@Microsoft.KeyVault(SecretUri=secret_uri_with_version)

Where secret_uri_with_version is the full URI for a secret in Key Vault. For example, this would be something like: https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931

enter image description here