Azure Key Vault is a service that provides centralized secrets management, with full control over access policies and audit history. When an app setting or connection string is a key vault reference, your application code can use it like any other app setting or connection string.
Grant the app access to Key Vault
2 Methods or models to authorize :
Azure role-based access control: Assign the Key Vault Secrets User role to the managed identity.
Vault access policy: Assign the Get secrets permission to the managed identity.
Access Network-restricted vaults
If Key Vault is configured with network restrictions, ensure that the app has network access. To make the vault accept traffic from a virtual network, execute the PowerShell :
| Code Block | ||
|---|---|---|
| ||
Update-AzFunctionAppSetting -Name <app-name> -ResourceGroupName <group-name> -AppSetting @{vnetRouteAllEnabled = $true} |
Access vaults with user-assigned identity
We need to set the keyVaultReferenceIdentity property to the resource ID of the user-assigned identity.
| Code Block | ||
|---|---|---|
| ||
$identityResourceId = Get-AzUserAssignedIdentity -ResourceGroupName <group-name> -Name MyUserAssignedIdentityName | Select-Object -ExpandProperty Id
$appResourceId = Get-AzFunctionApp -ResourceGroupName <group-name> -Name <app-name> | Select-Object -ExpandProperty Id
$Path = "{0}?api-version=2021-01-01" -f $appResourceId
Invoke-AzRestMethod -Method PATCH -Path $Path -Payload "{'properties':{'keyVaultReferenceIdentity':'$identityResourceId'}}" |