How to use user-assigned managed identity to access Key Vault for Function App Config in Azure

1
votes

I've set up KeyVault configuration for one of my function apps in Azure. This is rather simple to do using a Startup class like this:

using Azure.Identity;
using Microsoft.Azure.Functions.Extensions.DependencyInjection;
using Microsoft.Extensions.Configuration;
using System.IO;
using Core.Utility;

[assembly: FunctionsStartup(typeof(MyJob.Startup))]
namespace MyJob
{
class Startup : FunctionsStartup
{
    private IConfiguration _configuration;

    public override void Configure(IFunctionsHostBuilder builder)
    {
        // Configure your services here.
    }

    public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
    {
        var context = builder.GetContext();
        var configurationBuilder = builder.ConfigurationBuilder;
        configurationBuilder.AddJsonFile(Path.Combine(context.ApplicationRootPath, "appsettings.json"), true, false)
            .AddEnvironmentVariables();

        // Add the Key Vault:
        var configuration = configurationBuilder.Build();
        configurationBuilder.AddAzureKeyVault(KeyVaultSecrets.MakeKvUri(configuration["KeyVaultName"]),
            new DefaultAzureCredential());
        _configuration = configurationBuilder.Build();
    }
}
}

I would now like to use a user-assigned managed identity instead of the system-assigned one so I don't have to grant access to the KV for every new app, or deployment slot I make.

I've read this doc: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet, but this shows examples for KV clients created in your own code and the infrastructure is creating the client for me here.

How would this have to change to use a user-assigned identity?

1
c#azureazure-identity
Since you don't want to use system Managed Identity solely based on key vault access, what if you were to change the KV access to RBAC (instead of the default access policies) and use an AD group with a role of 'Key Vault Secrets User' and simply add each application and slot to the group at the time of creation with your Infrastructure as Code?Adam Vincent
I tried out RBAC for KV and it is actually more annoying and cumbersome than manually adding the app identity to each KV, because you can't just assign a role to an app identity, you have to go in to each KV individually and allow access. IE - RBAC doesn't make anything easier IMO.Ian

1 Answers

0
votes

To get a user-assigned identity to work you simply change

new DefaultAzureCredential()

to

new ManagedIdentityCredential(<Client ID>)

The Client ID is shown on the user-assigned identity when you look at it in the Azure portal.

It would be nice if there was a way for DefaultAzureCredential to be redirected to the user-assigned identity via config, because this way you have to put something down in your code that will switch between the Default cred and the managed identity one based on if the debugger is attached or a config item so that you can debug locally without using that identity, because using the default cred is still the right thing when debugging from VS.

I did try to add this to the config in Azure, but it didn't work (the default cred would fail to use the user-assigned identity).

AzureServicesAuthConnectionString: RunAs=App;AppId=<client id>