The access policy should grant the identity the following secret permissions: Get,Set, List, and Delete.
It is however, also possible to create the KeyVault keys before launching the pod and allow the pod to only use Get permissions. For production environments it might not be possible to use all Get,Set, List, and Delete permissions as is the case in my current project.
I've set AzureWebJobsSecretStorageType to "keyvault" and AzureWebJobsSecretStorageKeyVaultUri to my vault URI and only allow the workload identity to use Get. In the vault I have preconfigured the following secrets:
host--functionKey--default
host--masterKey--master
host--systemKey--durabletask-095extension (note: the -095 is converted to an underscore by the functions host, it needs exactly the key "durabletask_extension" but KeyVault does not allow the underscore in the secret name)
In the article it is stated:
The access policy should grant the identity the following secret permissions: Get,Set, List, and Delete.
It is however, also possible to create the KeyVault keys before launching the pod and allow the pod to only use Get permissions. For production environments it might not be possible to use all Get,Set, List, and Delete permissions as is the case in my current project.
I've set AzureWebJobsSecretStorageType to "keyvault" and AzureWebJobsSecretStorageKeyVaultUri to my vault URI and only allow the workload identity to use Get. In the vault I have preconfigured the following secrets:
It took me quite a bit of studying the code of the Azure Functions WebHost (https://github.com/Azure/azure-functions-host/tree/dev/src/WebJobs.Script.WebHost) so I figured it might help some people to add this to the docs.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.