Share via

How can I configure my Azure Function to retrieve a Key Vault secret when invoked by an Azure Logic App?

John van Zalk 40 Reputation points
2025-05-04T01:56:15.9566667+00:00

I’ve stored an API key as a secret in Azure Key Vault and want my Function App—called from a Logic App—to pull that secret at runtime. I’ve already:

  1. Enabled a system-assigned managed identity on the Function App and Logic App
  2. Granted Key Vault Secrets User access to the Function App and Logic App

Despite this, when the I try to add the Azure function to my Logic App and save, I’m getting the error message below. What could I be missing?

Workflow validation failed for the workflow ''. {"error":{"code":"ListFunctionKeysFailed","message":"Request to obtain the keys for function ... failed. Error details: '{"Code":"BadRequest","Message":"Encountered an error (InternalServerError) from host runtime.","Target":null,"Details":[{"Message":"Encountered an error (InternalServerError) from host runtime."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","Message":"Encountered an error (InternalServerError) from host runtime."}}],"Innererror":null}'."}}

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,787 questions
Accepted answer
  1. RithwikBojja 2,410 Reputation points Microsoft External Staff Moderator
    2025-05-08T09:23:57.48+00:00

    Hi @John van Zalk ,

    If you have enabled Managed identity on Function App and want to connect it with storage account.

    After Deploying the function app, you need to add environment variables as below:

    
AzureWebJobsStorage__accountName---->rithtest123

AzureWebJobsStorage__blobServiceUri---->https://rithtest123.blob.core.windows.net

AzureWebJobsStorage__credential---->managedIdentity

    If you want to access blobs from Storage account, you have to add

    
AzureWebJobsStorage__blobServiceUri---->https://rithtest123.blob.core.windows.net

    for fileshare :

    
AzureWebJobsStorage__queueServiceUri---->https://rithtest123.queue.core.windows.net

    Then give Storage Blob Contributor for accessing blobs and others for roles to perform other actions.

    image

    Then you can able to access the function app.

    Why this one behaved differently so I can avoid the extra steps going forward.

    No, generally Storage account created from Vs Code will use connection string as default. But since the storage is defaulted to Identity, either you can change it to connection string or use it by giving roles and changing the environment variables.

    If this answer was helpful, please click "Accept the answer" and mark Yes, as this can help other community members.

    enter image description here

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chiugo Okpala 1,275 Reputation points MVP
    2025-05-04T06:10:26.26+00:00

    @John van Zalk welcome to the Microsoft Q&A community.

    It looks like you’ve taken most of the key steps for secure access, but that error suggests there might be an issue with how the Azure Function keys are being accessed by the Logic App. Here are a few things to check:

    1. Ensure the Managed Identity Has Access to Function Keys

    Even though you’ve enabled a system-assigned managed identity and granted Key Vault access, the Logic App also needs permissions to retrieve the function host keys. Try assigning the "Microsoft.Web/sites/hostkeys/list/action" role to the Logic App.

    2. Verify Key Vault Access for the Logic App

    Make sure that the Logic App itself has permission to read secrets from Key Vault and that the correct authentication method is being used in the Logic App’s settings.

    3. Check Azure Function Authentication Settings

    If you’ve enabled authentication on your Function App, ensure that it allows managed identity-based authentication for the Logic App. Otherwise, the request might fail due to security restrictions.

    1. Manually Retrieve the Key from Key Vault in the Function App

    Instead of relying on automatic key retrieval, you can test this manually by:

    Making an HTTP request within your Function App to Azure Key Vault using its system-assigned identity.

    Using Azure SDKs or REST APIs to fetch the secret and confirming it works independently of the Logic App.

    5. Check the Function App Logs for More Details

    Navigate to your Function App’s Application Insights logs or Monitor tab in Azure and see if there are any additional details about the internal server error.

    6. Try Using an Azure Key Vault Reference Instead

    Instead of using direct API calls, Azure Functions supports Key Vault references in application settings, allowing secrets to be retrieved securely at runtime.

    Give these a try, and let me know what happens—sometimes the fix is hidden in a small overlooked permission setting.

    I hope these helps. Let me know if you have any further questions or need additional assistance.

    Also if these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

    User's image

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.