I have started with the basic PowerShell http trigger template to retrieve a secret string from Azure Key Vault. I set up the function and key vault exactly as described here:
https://medium.com/statuscode/getting-key-vault-secrets-in-azure-functions-37620fd20a0b
And set up the system assigned identity referencing this documentation here: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#add-a-system-assigned-identity
However there is a new section not mentioned above located in the Identity panel below the status toggle called: "Permissions: Azure Role Assignments":
With out something set in the Azure Role Assignments the function does not appear to work. Setting this section to use "Reader" from the Key Vault resource type is not enough to get it work retrieve the secret either. Adding "Contributor" under the resource type "Subscription" has enough permissions, but I don't know what is the correct amount of permissions to only provide the level of access to only get the secret.
Can anyone elaborate on this setting and let me know what is the proper way to configure?
