Fetch key vault secrets using user assigned managed identity from Azure function

Question

Hi Team,

I have one key vault where I have saved all my secrets names and its value.

I have also created a user assigned managed identity "write" which has access to key vault.

I have attached this managed identity to Azure function as well. Now I want to fetch the secrets of key vault from azure function.

I am using this code in Azure function:

import azure.functions as func
import logging
from azure.keyvault.secrets import SecretClient
from azure.identity import ManagedIdentityCredential

app = func.FunctionApp(http_auth_level=func.AuthLevel.FUNCTION)

@app.route(route="funcmanagedidentity")
def funcmanagedidentity(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    try:
        credential = ManagedIdentityCredential(client_id=ManagedIdentityCredential)
        key_vault_url = "https://kv.vault.azure.net" 
        
        client = SecretClient("https://kv.vault.azure.net", credential)
        secret = client.get_secret("api").value  # Retrieve the secret value

        return func.HttpResponse(secret, status_code=200)

    except Exception as e:
        logging.error(f"An error occurred: {e}")
        return func.HttpResponse(f"An error occurred: {str(e)}", status_code=500)

but I am getting this error message :

2024-08-26T11:11:03Z [Error] An error occurred: (None) No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId. Code: None Message: No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId.

Answer 1

Hi @RSingh

Thank you for reaching us!

The error message "No User Assigned or Delegated Managed Identity found for specified ClientId/ResourceId/PrincipalId" indicates that the managed identity you are using does not have the required permissions to access the specified resource.

To resolve this issue, you need to ensure that the managed identity has the necessary permissions to access the resource. Here are the steps to follow:

1. Check if the managed identity is correctly assigned to the function app. You can do this by going to the "Identity" section of the function app in the Azure portal and verifying that the managed identity is enabled.
2. Check if the managed identity has the necessary permissions to access the resource. You can do this by going to the "Access control (IAM)" section of the resource in the Azure portal and verifying that the managed identity has the required role assignment.
3. If the managed identity does not have the required role assignment, you can add it by clicking on the "Add role assignment" button and selecting the appropriate role.
4. If the managed identity is correctly assigned and has the necessary role assignment, then you need to ensure that the resource URL and audience are correct. Double-check that the resource URL and audience are correct and match the resource you are trying to access.
5. If you are still getting the same error after following these steps, you can try using the Azure CLI to check the role assignments for the managed identity. You can use the following command: az role assignment list --assignee-object-id managed-identity-object-id Replace managed-identity-object-id with the object ID of the managed identity. This command will list all the role assignments for the managed identity. Check if the managed identity has the required role assignment for the resource you are trying to access.

Hope this helps. Do let us know if you any further queries by responding in the comments section.

Thanks,

Akhilesh.

---

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.