v4 Azure Function isolated process not authenticating to key vault when running locally

Question

We are developing a v4 Azure Function using .Net framework 4.8 running in an isolated worker process.
We would like to have the function store secrets and keys in a key vault using the AzureWebJobsSecretStorageKeyVaultUri setting.
Unfortunately each time we try to run the function locally, we get the following error:
A host error has occurred during startup operation
Azure.Identity: The ChainedTokenCredential failed to retrieve a token from the included credentials.
ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.

I understand that ManagedIdentityCredential only works when running in Azure and to authenticate when running locally that we have to use DefaultAzureCredential, but I'm not sure how to configure the service to do that. The error gets thrown before any code in the application runs, right after the console line:
Found c:.....csproj. Using for user secrets file configuration.

My local user account does have access to the the key vault (the function code does have code that accesses it later using DefaultAzureCredentials), so it seems this must be a configuration issue somewhere.

We would like to not be required to list a storage connection string in the local.setttings.json file, but there doesn't seem to be any way around it at this point.

Answer 1

I have the same issue here on a v4 isolated function on net70.

Issue surfaces when I place these parameters in local.settings.json:
"AzureWebJobsSecretStorageType": "keyvault",
"AzureWebJobsSecretStorageKeyVaultUri": "https://<keyvault name>.vault.azure.net/",
"AzureWebJobsSecretStorageKeyVaultClientId": "<managed user identity id> or <my personal user account id>"

Without these parameters the function runs fine (because all required parameters are in local.settings.json)

Eventually after a few minutes the services started, but with errors:
[2023-01-08T11:01:55.600Z] - ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.
[2023-01-08T11:01:55.601Z] - ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.
[2023-01-08T11:01:55.602Z] ---> System.AggregateException: Multiple exceptions were encountered while attempting to authenticate. (ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.) (ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.)
[2023-01-08T11:01:55.603Z] ---> Azure.Identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. Multiple attempts failed to obtain a token from the managed identity endpoint.
[2023-01-08T11:01:55.604Z] ---> System.AggregateException: Retry failed after 4 tries. Retry settings can be adjusted in ClientOptions.Retry. (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (169.254.169.254:80)) (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (169.254.169.254:80)) (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (169.254.169.254:80)) (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (169.254.169.254:80))

based on this section (https://learn.microsoft.com/en-US/azure/azure-functions/functions-app-settings#azurewebjobssecretstoragekeyvaulturi) in the documentation I assigned the Key Vault Secrets Officer role (to both the managed user identity and my personal user a account), but the issue persists