Share via

Azure Function - System Managed ID - PowerShell runtime

Lars Wurm 21 Reputation points
2020-09-06T19:04:32.587+00:00

Hi,

I have setup an Azure Functions, with PowerShell Core 7.0 as the runtime. The function is having a system managed ID - all well so far. I then configured a keyvault, from where i want this function to read its secrets. Next, I added an Access Policy for the KeyVault - of the system managed ID.

The problem is - when I try to access the KeyVault with System Managed ID of the Azure Function (upon executing function) - it responds back with the following error message: this.client.subscriptionId cannot be null. I google (or binged it) - all kinds of worthless answers, like trying to login with PowerShell from within the Function and so on - which does not make sense if u ask me (its not interactive). Again - i tried to provide the system managed id READ access on a resources within the subscription which it is trying to access - with no success. That being said - i know this should not be neccessary since I have this scenario numerous time without providing IAM access (only KeyVault Access Policy) to the system managed ID. Anyone else who has seen this error / how was it resolved?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,542 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MayankBargali-MSFT 69,941 Reputation points
    2020-09-07T09:20:45.907+00:00

    Hi @Lars Wurm

    Can you please confirm if you have followed up all the steps mentioned here

    In the third step, it is mentioned as :
    Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or applicationId settings, as this is not compatible with a managed identity.

    Yes, you need to add access policy with the Get permission for the Object ID that is generated when you have enabled the system assigned Identity.

    22937-image.png

    Once you have added the permission you can create a new application setting and define the value as @Microsoft.KeyVault(SecretUri)
    Example : "@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931")

    You can see the green tick mark in the source column for your specified name as below and this confirmed that the setup is correct

    23071-image.png

    I have used below powershell code to get the value of the secret in my function code: 

    using namespace System.Net  
  
# Input bindings are passed in via param block.  
param($Request, $TriggerMetadata)  
  
# Write to the Azure Functions log stream.  
Write-Host "PowerShell HTTP trigger function processed a request."  
  
$result = ls env:APPSETTING_password  
  
$pass = $result.value  
  
# Associate values to output bindings by calling 'Push-OutputBinding'.  
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{  
    StatusCode = [HttpStatusCode]::OK  
    Body = $pass  
})

    You can customize the above code according to your requirement. I hope the above steps help you to resolve the issue. If not please share the steps and code that you are using.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

    0 comments