How to use Key Vault references for Azure Functions locally

Question

How to use Key Vault references for Azure Functions locally

Ahsan Habib 126

Hello Everyone !!!

So Key Vault reference is a great feature. However, Is it possible to use this while I run my app locally? or I can say Is it possible to use @Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret) locally?

If not, then I have to use the Key Vault SDK I believe. In that case, my question is, how to access and update the Connection Property ( for example, [EventHubOutput("my-eh", Connection = "EventHubConnectionString")]) of the Azure Function Trigger/binding attribute with the value of a Azure Key vault secret?

Note: I am using Azure Function V4 Isolated Process

Bruno Lucas 4,436 Reputation points MVP

2022-04-26T09:49:14.78+00:00

Hi Ahsan,
Just checking to see if you managed to get the vault reference running? Can you also confirm if by "run my app locally" you mean debugging?

Regards,
Bruno

5 answers

Your answer

Bruno Lucas 4,436 Reputation points MVP

2022-04-26T09:49:14.78+00:00

Hi Ahsan,
Just checking to see if you managed to get the vault reference running? Can you also confirm if by "run my app locally" you mean debugging?

Regards,
Bruno

Answer 1

Bruno Lucas 4,436 MVP

Hi @Ahsan Habib ,

I added this to my git: https://github.com/blucas2016/TestVaultRefOnAZFunctionV4Isolated

try to clone and modify the value for "Hub1ConnString" to your vault's secret path

I've added that httptrigger just because makes it easier to debug and demo the parsing of the vault reference . as you see in the debug window the value is the conn string, not the vault ref

I'm running my vs 2022 as admin:

Sometimes it can be the firewall. But usually, firewall throws a specific error: https://brunolucas.blog/2022/02/27/code-and-test-azure-service-bus-and-azure-event-hub-triggers-locally/

Let me know if that works. if Doesn't, I'm happy to expand on what I've done with more details.

Oleksandr Kyselov 1 Reputation point

2022-08-19T11:24:28.877+00:00
Hi @Bruno Lucas !

I can't get my local.settings.json variable be resolved with value @Microsoft.KeyVault(SecretUri=https://xxx.vault.azure.net/secrets/Secret1/xxxxxxxxxxxx)

My visual studio is running on admin mode and logged in with the azure account that has all rights necessary.

That is my local.settings.json:

{ "IsEncrypted": false, "Values": { "AzureWebJobsStorage": "UseDevelopmentStorage=true", "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated", "ServiceBusQueueName": "xxxxx", "ServiceBusConnection__fullyQualifiedNamespace": "xxx.servicebus.windows.net", "AZURE_TENANT_ID": "@Microsoft.KeyVault(SecretUri=https://xxxx.vault.azure.net/secrets/Secret1/xxxxxxxxxxxxxxxxx)" } }

I'm using .net 6 lts isolated.

I've also pulled your solution from github and I get the same behavior .

Any ideas what it could be?

Edit: Formalities
Sacher, Wolf-Rüdiger 21 Reputation points

2023-07-25T09:29:44.0333333+00:00

Hi Bruno , great work! It helped me out of the box! Thank you very much!!!

Answer 2

Bruno Lucas 4,436 MVP

Hi @Oleksandr Kyselov
When you say "My visual studio is running on admin mode and logged in with the azure account that has all rights necessary.", do you mean you can se the user (you are using to login into VS) has a vault policy with permission to read secrets?
Look like you are adding the key along with the vault secret path:

note my example does not have that key/hash part:

try secrets/Secret1")

Oleksandr Kyselov 1 Reputation point

2022-08-22T07:12:44.547+00:00

Hello, referring to the user, yes, the same user that is logged in at Visual Studio is the one that has read secret permissions.

Previously I have already tried also without the key from the vault secret path.

Here shows a list of assigned permissions.

This keyvault has no security restriction as it's accessible from all networks.

I feel pretty frustrated that I can't achieve this approach as it would be great to maintain the perfect vision of my security approach.

Thank you for your help!
Bruno Lucas 4,436 Reputation points MVP

2022-08-23T11:22:58.92+00:00

Hi @Oleksandr Kyselov
That is not where you add permissions:

You need to go to "Access policies"
Oleksandr Kyselov 1 Reputation point

2022-08-23T11:28:49.213+00:00

Good point @Bruno Lucas , nevertheless I'm doing RBAC KeyVault approach based on the best practices of Microsoft KeyVault Guidelines.

Everything is going towards managed identities, system identities and role based access control in Azure.

I guess it's not achievable do to it in such way.

Answer 3

Bruno Lucas 4,436 MVP

Hi, by "run my app locally", do you mean debugging with Visual Studio?

You need to create a vault policy for the user account you use to run visual studio.

https://stackoverflow.com/questions/55027221/azure-functions-key-vault

Ahsan Habib 126 Reputation points

2022-04-26T13:44:31.193+00:00

Hi @Bruno Lucas I meant while running the App locally using Visual Studio or terminal. I have added the necessary access policy of the Managed Identity of the Function app and myself. It works fine in the cloud. But whenever I run this locally, I get error something like this:

Now can you confirm whether Key Vault references for Azure Functions support locally or not? I have not found anything in the doc discussing this !!!
Bruno Lucas 4,436 Reputation points MVP

2022-04-26T23:08:21.463+00:00

I definitely works when I use Visual Studio 2019 to debug. That error is not related to vault access. I see you are working with Event Hub. I use vault with hub and i can debug. will write another answer with all the steps I use but for now , some suggestions:
-try to use this notation instead : @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/) instead
-make sure you are signed in visual studio with the same account you have for the vault policy. I run VS as administrator
-just add somewhere on the beginning of the code simple line like var vaultTest = Environment.GetEnvironmentVariable("samplesecret") and add a break point. for "samplesecret", create a vault secret with a simple value like "test". the idea is to have the simplest way to access secret without using the value on something that could break with an unrelated error. you may want to create a httptrigger just for testing
@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)
-if you are in a dev environment, try to add more permissions to the policy (temporarily, to debug) to see if there is any missing permission

but based on the error above, may be picking a value that is not the azure hub connection string

Ahsan Habib 126

So after doing what you said, it jus printed the plain text of the URL/Key instead of the Secret value. I mean, this is my local.settings.json:

{  
    "IsEncrypted": false,  
    "Values": {  
        "AzureWebJobsStorage": "UseDevelopmentStorage=true",  
        "FUNCTIONS_WORKER_RUNTIME": "dotnet",  
        "MySecret":  "@Microsoft.KeyVault(SecretUri=https://<MyKeyvaultName>.vault.azure.net/secrets/MySecret/)",  
    }  
}

or in case of Isolated Process:

{  
    "IsEncrypted": false,  
    "Values": {  
        "AzureWebJobsStorage": "UseDevelopmentStorage=true",  
        "FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated",  
        "MySecret":  "@Microsoft.KeyVault(SecretUri=https://<MyKeyvaultName>.vault.azure.net/secrets/MySecret/)",  
    }  
}

Now whenever I Print Environment.GetEnvironmentVariable("MySecret") I get then plain text:

@Microsoft.KeyVault(SecretUri=https://<MyKeyvaultName>.vault.azure.net/secrets/MySecret/)

Which means, the Runtime is not decoding it. I also have used without double. Then it prints nothing which means null
Is my local.settings.json is correct?

Bruno Lucas 4,436 Reputation points MVP

2022-04-27T12:27:57.48+00:00

yes, your sintax is correct. I tried this same sintax on a brand new project and now I have the same issue you have. I do have a azure function that does work (same sintax) on a older project but I can't tell the difference. It's either the VS studio emulator or some configuration.

I remember first time I tried this a while ago, it worked straight away.
But as you can see, there is no documentation clarifying this peculiar scenario. for something like a console app there is this approach:
https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-net

I'll carry on trying to see what is different on this function I can debug and retrieve vault values with the reference sintax.
Bruno Lucas 4,436 Reputation points MVP

2022-04-27T23:09:30.347+00:00

Hi Ahsan, I managed to get this working. with multiple versions of azure function including v4 isolated.
All the suggestions I've done are valid but for some reason yesterday when i created a new function , new vault, didn't work straight away. may be some azure latency to commit all the security settings. I will add my demo code to a github later and send to you. could be many things. but you are right on no documentation on that. I have only found forum questions but nothing specifically on debugging vault references. I can only tell it's definitely possible. From what I can see your code looks correct. I'll send you my through git hub later and the detail list of steps I take
Bhavya Shah 25 Reputation points

2023-03-31T09:13:56.42+00:00

Hello @Anonymous

This is not working.

I created a Function App in VS 2022, Dotnet 6, dotnet-isolated Function Runtime, created a secret in the KV, gave appropriate permissions to my account, ran VS 2022 as admin, logged in with same user who has permission to the KV to read secrets.

It just prints the same string as in local.setting.json, not the secret value which is stored in the KV.

E.g. @Microsft.KeyVault(SecretUri="https://mykv.vault.net/secrets/mySecret")
Bhavya Shah 25 Reputation points

2023-06-09T06:57:36.2433333+00:00

Hello Bruno,

I was able to solve this. Issue was that while running on Azure VM, it carries the VMs Managed Identity instead of Visual Studio Identity. Disabling VMs Managed Identity made this work.

Answer 4

Sacher, Wolf-Rüdiger 21

Hi @Ahsan Habib , great work! It helped me out of the box! Thank you very much!!!

Answer 5

Viacheslav Vodianov 0

Had similar issue with non-isolated azure functions app, found solution that I haven't seen in the internet before: added Azure.Identity package over Nuget and it suddenly started to turn references into values.

Share via

How to use Key Vault references for Azure Functions locally

5 answers

Your answer