It is also possible to use pre-set the keys in the keyvault and use just Get permissions from the kubernetes pod

[gerbendv]

In the article it is stated:

The access policy should grant the identity the following secret permissions: Get,Set, List, and Delete.

It is however, also possible to create the KeyVault keys before launching the pod and allow the pod to only use Get permissions. For production environments it might not be possible to use all Get,Set, List, and Delete permissions as is the case in my current project.

I've set AzureWebJobsSecretStorageType to "keyvault" and AzureWebJobsSecretStorageKeyVaultUri to my vault URI and only allow the workload identity to use Get. In the vault I have preconfigured the following secrets:

• host--functionKey--default
• host--masterKey--master
• host--systemKey--durabletask-095extension (note: the -095 is converted to an underscore by the functions host, it needs exactly the key "durabletask_extension" but KeyVault does not allow the underscore in the secret name)

It took me quite a bit of studying the code of the Azure Functions WebHost (https://github.com/Azure/azure-functions-host/tree/dev/src/WebJobs.Script.WebHost) so I figured it might help some people to add this to the docs.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 18aa54fd-3aa1-37c5-925c-51a0195b1030
• Version Independent ID: 60198016-1ea9-e7ae-b00b-2c665d5ad8ca
• Content: App settings reference for Azure Functions
• Content Source: articles/azure-functions/functions-app-settings.md
• Service: azure-functions
• GitHub Login: @ggailey777
• Microsoft Alias: glenga

[Naveenommi-MSFT]

@gerbendv Thanks for your feedback! We will investigate and update as appropriate.