Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,451 questions
Azure Function App failing to access the Key Vault Secrets
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 77%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sumeetha Mogasati
126
Reputation points
Hi,
- Function App (Premium Plan) is whitelisted by adding the function app Subnet to the Key Vault network firewall.
- Within the Key Vault, the access policy is created with all (Secrets) permissions for the Function App to access Secrets stored within the Key Vault.
- During the publishing of the Function App, the configuration is done for the Key Vault, where the Key vault connection string is stored in the Function App - App Settings.
During the execution, Function App failed to access the Secrets stored within the Key Vault with the exception copied below.
Below is the copied source code used to access the secrets from the Function App.
public async Task<string> GetSecretValue(string keyvault, string strIdentifier)
{
string value = "";
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secretBundle = await keyVaultClient.GetSecretAsync("https://" + strIdentifier + ".vault.azure.net/secrets/" + keyvault).ConfigureAwait(false);
value = secretBundle.Value;
Console.WriteLine(value);
return value;
}
Unfortunately, during the debugging process function app uses my identity, works as expected and throws no exceptions. After publishing the function app, the exception mentioned above is thrown, which is time-consuming to troubleshoot.
I would greatly appreciate any help. Thanks
Azure Key Vault
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,929 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 57.99999999999999%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBL%3C/text%3E%3C/svg%3E)
Bruno Lucas 4,436 Reputation points MVP2022-08-22T10:32:06.32+00:00 Regarding "Within the Key Vault, the access policy is created with all (Secrets) permissions for the Function App to access Secrets stored within the Key Vault.", how did you do that? Did you create a managed identity and granted permission to that
looking to your code I see you are using KeyVaultClient. Are you returning an array of secrets that are not really app settings? Did you consider using Key Vault references?
-
Sumeetha Mogasati 126 Reputation points
2022-08-22T13:25:20.48+00:00 Hi @Bruno Lucas
Thanks for your response.
System Assigned Identity is enabled for the Key Vault and Key Vault Access Policy was created using that identity ensuring that all Secret related permissions were selected.
Answering your query on code: 'Yep. An array of secrets are returned as per the requirement'. Please note that the Function App works great in debug mode where my personal identity is used to execute. After the deployment it is suffering from the odd permission / related issue.
-
Bruno Lucas 4,436 Reputation points MVP
2022-08-23T11:13:55.823+00:00 Hi @Sumeetha Mogasati
Sorry, I didn't have time today to properly check this, but a few ideas to consider on the meantimeI suspect the problem may be between this line :
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
and making sure it returns the identity that has the azure vault policy. Running in debug mode will pick your login and you can assign a policy to your login. inside the azure function it may return something else
I know this code would make it easy to apply the policy to the "clientid":
https://blogs.aaddevsup.xyz/2021/01/getting-azure-key-vault-secret-with-azure-identity-and-azure-security-keyvault/Another place to look would be the vnet setup. Could try disable the vnet and allow all networks temporarily if you have a dev environment to see if change anything (and add back after checking)
-
MayankBargali-MSFT 70,941 Reputation points Moderator2022-08-30T09:13:27.843+00:00 @Sumeetha Mogasati Thanks for reaching out and apology for the inconvenience due to this issue. Can you please confirm if you are still facing the issue?
-
Sumeetha Mogasati 126 Reputation points
2022-08-31T07:51:16.763+00:00 Yes, the error still persists. Help appreciated.
Please note the attached exception stack here.
-
MayankBargali-MSFT 70,941 Reputation points Moderator
2022-09-05T05:32:01.333+00:00 @Sumeetha Mogasati Can you share more details on my private comment so I can assist you further
Sign in to comment
Sign in to answer