I've set up KeyVault configuration for one of my function apps in Azure. This is rather simple to do using a Startup class like this:
using Azure.Identity;
using Microsoft.Azure.Functions.Extensions.DependencyInjection;
using Microsoft.Extensions.Configuration;
using System.IO;
using Core.Utility;
[assembly: FunctionsStartup(typeof(MyJob.Startup))]
namespace MyJob
{
class Startup : FunctionsStartup
{
private IConfiguration _configuration;
public override void Configure(IFunctionsHostBuilder builder)
{
// Configure your services here.
}
public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
{
var context = builder.GetContext();
var configurationBuilder = builder.ConfigurationBuilder;
configurationBuilder.AddJsonFile(Path.Combine(context.ApplicationRootPath, "appsettings.json"), true, false)
.AddEnvironmentVariables();
// Add the Key Vault:
var configuration = configurationBuilder.Build();
configurationBuilder.AddAzureKeyVault(KeyVaultSecrets.MakeKvUri(configuration["KeyVaultName"]),
new DefaultAzureCredential());
_configuration = configurationBuilder.Build();
}
}
}
I would now like to use a user-assigned managed identity instead of the system-assigned one so I don't have to grant access to the KV for every new app, or deployment slot I make.
I've read this doc: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet, but this shows examples for KV clients created in your own code and the infrastructure is creating the client for me here.
How would this have to change to use a user-assigned identity?