Access KeyVault from AzureFunciton with public network disabled

Question

Access KeyVault from AzureFunciton with public network disabled

previousversiondocs 61

I have an azure function that needs to access key-vault.

The code looks like this:

credentials = DefaultAzureCredential()
secret = secret_client.get_secret(secret_name)

Locally, It works with the following settings:
KeyVault -> Settings -> Networking -> Allow public access (either my local IP or all networks, both works)

But I don't want to allow all public networks to be able to access the vault.

When disabling "Allow public access" and deploying the Function to Azure, I get this error:
(Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link.

I expected such error when trying to run it locally, because my local IP is obviously not allowed. But i expected it to work when deployed, because i thought, the AzureFunction was a "trusted service", but it is not listed here.

Also, I have added role-based access and I have added the Azure-Function. As said, this works when I allow public access, which I don't want. Is there any way to restrict public access to the vault but make it available for the AzureFunction?

Hai Ha Tran 0 Reputation points

2023-07-25T14:10:34.3133333+00:00

Hello,

sorry to open the topic again but I face a similar problem but I'm using a logic app instead.

Vnet integration is configured and is working with a storage account over private endpoint.

I wanted to setup the same for key vault access but also get '(Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link.'

What was the solution?

I have checked logs and it seems to be routed over public IP, so it makes sense but I would have expected traffic to flow over the configured Vnet integration subnet.

Key vault endpoint and storage account endpoint are in same dedicated subnet.

Service endpoint for key vault is not configured on endpoint subnet only for storage account.

Thanks in advance
Sudharsan S 0 Reputation points

2025-03-27T04:40:30.2533333+00:00

Hi there,

I'm attempting to create a secret in my Azure Key Vault with public access disabled directly from the Azure portal. However, I'm encountering following popup error.

When I tried the same operation from Azure CloudShell, I received this error message.

(Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link.

Caller: appid=b677c290-cf4b-4a8e-a60e-91ba650a4abe;oid=a6288b09-fefe-423e-9bea-363d4a80b96a;iss=https://sts.windows.net/3d24ca4f-8f63-4fe6-9836-484f5c49dd4f/

Vault: ENFS-Key-Vault-01;location=westus

Code: Forbidden

Message: Public network access is disabled and request is not from a trusted service nor via an approved private link.

Caller: appid=b677c290-cf4b-4a8e-a60e-91ba650a4abe;oid=a6288b09-fefe-423e-9bea-363d4a80b96a;iss=https://sts.windows.net/3d24ca4f-8f63-4fe6-9836-484f5c49dd4f/

Vault: ENFS-Key-Vault-01;location=westus

Inner error: {

"code": "ForbiddenByConnection"

}

Note: I have the necessary Key Vault roles to create a secret.

Can anyone assist me in resolving this issue?
Mujtaba Tirmazi 0 Reputation points

2025-05-01T16:11:18.2433333+00:00

Hi, I am also facing similar situation, however i have added the Service Endpoint to subnets aswel. But still it throws this error intermittently.

Did we find any solution for this.

1 answer

Your answer

Hai Ha Tran 0 Reputation points

2023-07-25T14:10:34.3133333+00:00

Hello,

sorry to open the topic again but I face a similar problem but I'm using a logic app instead.

Vnet integration is configured and is working with a storage account over private endpoint.

I wanted to setup the same for key vault access but also get '(Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link.'

What was the solution?

I have checked logs and it seems to be routed over public IP, so it makes sense but I would have expected traffic to flow over the configured Vnet integration subnet.

Key vault endpoint and storage account endpoint are in same dedicated subnet.

Service endpoint for key vault is not configured on endpoint subnet only for storage account.

Thanks in advance
Sudharsan S 0 Reputation points

2025-03-27T04:40:30.2533333+00:00

Hi there,

I'm attempting to create a secret in my Azure Key Vault with public access disabled directly from the Azure portal. However, I'm encountering following popup error.

When I tried the same operation from Azure CloudShell, I received this error message.

(Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link.

Caller: appid=b677c290-cf4b-4a8e-a60e-91ba650a4abe;oid=a6288b09-fefe-423e-9bea-363d4a80b96a;iss=https://sts.windows.net/3d24ca4f-8f63-4fe6-9836-484f5c49dd4f/

Vault: ENFS-Key-Vault-01;location=westus

Code: Forbidden

Message: Public network access is disabled and request is not from a trusted service nor via an approved private link.

Caller: appid=b677c290-cf4b-4a8e-a60e-91ba650a4abe;oid=a6288b09-fefe-423e-9bea-363d4a80b96a;iss=https://sts.windows.net/3d24ca4f-8f63-4fe6-9836-484f5c49dd4f/

Vault: ENFS-Key-Vault-01;location=westus

Inner error: {

"code": "ForbiddenByConnection"

}

Note: I have the necessary Key Vault roles to create a secret.

Can anyone assist me in resolving this issue?
Mujtaba Tirmazi 0 Reputation points

2025-05-01T16:11:18.2433333+00:00

Hi, I am also facing similar situation, however i have added the Service Endpoint to subnets aswel. But still it throws this error intermittently.

Did we find any solution for this.

Answer 1

@previousversiondocs

Thank you for your post!

Error Message:

(Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link.

I understand that you're trying to access your Key Vault from your Azure Functions App and are running into the above error message due to your Vault's public network being disabled. When it comes to troubleshooting your issue, I'll share some options below to hopefully point you in the right direction.

Public Access Disabled:

When it comes to the Public Access Disabled Firewall and VNET setting, this will deny all public configurations and allow only connections through private endpoints. For more info - Create a private endpoint by using the Azure portal.

Managed identities Azure Functions:

If you don't want to "Allow public access from all networks" but you're able to "Allow public access from specific virtual networks and IP addresses" - you can create a system-assigned identity for your Azure Functions App, assign it the appropriate Key vault permissions, and access your Key Vault through the system-assigned identity.

Allow public access from specific virtual networks and IP addresses:

If you choose to leverage Virtual networks and IP addresses, you can also add your Function App's IP address to your Key Vaults firewall to allow for access. If you aren't sure of the IP address used, you can use your browser's Developer Tool (F12) or Capture a Fiddler Trace.
Once you figure out what IP is being blocked, you can then add it your IPv4 addresses as 12.345.678.901 or 12.345.678.0/24

Key Vault Access Policies:

I also noticed you mentioned assigning the RBAC role to your Azure Function. Depending on your Vault's Access Configuration, you might have to assign the appropriate Access Policy permissions to your Functions App.

I hope this helps!

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

Additional Link:

Create a function app that uses Key Vault for necessary secrets

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

previousversiondocs 61 Reputation points

2023-04-20T08:27:30.58+00:00

Thanks for your detailed respone, I already thought about allowing the function's IP in the "allow specific VNETs and IPs" section, but can I be sure to always have the same IP for the function once I create it?

Also, I tried the private endpoint but also got (Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link. I will try this again and reach back to you if I get stuck again if that's ok.

Best regards
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-04-28T18:14:19.2266667+00:00

@previousversiondocs

Thank you for following up on this and I apologize for the delayed response!

Since you're still having issues with this, can you please email me with the info below. I'll go ahead and enable a one-time free technical support request for your subscription so our Support Engineers can take a closer look into your environment and get this issue resolved.

Email: AzCommunity@microsoft.com Subject: ATTN - James Tran Body: Azure Subscription ID Link to this issue

If you have any other questions, please let me know. Please feel free to take a re-survey on the relevant answer and help us further improve by leaving feedback verbatim as needed.

Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-05-01T21:40:22.0533333+00:00

@previousversiondocs

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

Share via

Access KeyVault from AzureFunciton with public network disabled

1 answer

Your answer