Feature request: retrieve Azure Functions' secrets from Key Vault

[mmaitre314]

All our secrets are in Key Vault so we need a way for Azure Functions to retrieve them from there instead of looking them up in app settings. In function.json, connection strings could referenced using Key Vault URLs:

{
    "disabled": false,
    "bindings": [
        {
            "name": "myQueueItem",
            "queueName": "myqueue-items",
            "connection":"https://xxx.vault.azure.net:443/secrets/yyy",
            "type": "queueTrigger",
            "direction": "in"
        }
    ]
}

Connecting to Key Vault requires us to pass a client cert for app authentication, so the WEBSITE_LOAD_CERTIFICATES app setting will be needed.

[mattchenderson]

@vishramendra Paul is correct - this works on anything in App Service. This is almost always an access policy issue, so I'd encourage you to double-check that. We have identified an issue for managed identities if you have the access policy set to "application-application" (meaning you set the "authorized application" flag in the access policy configuration). You just need to set the access policy principal to your managed identity, and it needs to have the "Get" permission for secrets.

[dpakgithub82]

Can you some put a example of using the keyvault for Azure Function blob connection string in a bindings, where to put this code :"@Microsoft.KeyVaul" @mmaitre314 @christopheranderson @sjwaight @parad0xchild @solvingj

[vishramendra]

@mattchenderson You were right. Key Vault access policy doesn't need Application authorization as well as configure-template. My issue is resolved. Thanks to @paulbatum and you. :)

[dpakgithub82]

this option will not work in visual studio debugging: @Microsoft.KeyVault(SecretUri=https://demokeyvaultash.vault.azure.net/secrets/APIKey/8781ac7f930940bb823f2d0f9a38d62d)

[Simon-Gregory-LG]

It seems @Microsoft.KeyVault doesn't work through the new VNET integration (using delegation) why would that be? (i.e. if I integrate the appservice into a VNET, point the to the KeyVault using Service Endpoint and lock down the KeyVault to that vnet, this doesn't seem to work)

[rhythmnewt]

Any plans to make @Microsoft.KeyVault work from local.settings.json file?

[rhythmnewt]

It's been 1.5 years, any interest/update? Thanks.

[sjwaight]

Given these Key Vault references rely on Managed Identity you'd first need to solve enabling the local runtime environment to execute using Managed Identities. The same would apply to the App Configuration references you can use. I would recommend opening a new feature request if you need specific focus on this use case (note I don't work on the Product Group so I'm not speaking authoritatively here).