Azure Functions can pull secrets from Azure Key Vault, but the magic isn’t in the retrieval itself, it’s in how Key Vault integrates transparently with your Function App’s managed identity.
Let’s see this in action. Imagine you have a Key Vault secret named MyDatabasePassword. In your local.settings.json for local development, you’d have something like this:
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"FUNCTIONS_WORKER_RUNTIME": "dotnet",
"MyDatabasePassword": "MyLocalDevPassword"
}
}
This is for local testing. When you deploy to Azure, you’ll remove this line from local.settings.json.
Now, in your Azure Function code (e.g., C#), you’d access this secret using the Microsoft.Azure.Functions.Extensions NuGet package and the IConfiguration interface.
using Microsoft.Azure.Functions.Worker;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Azure.Functions.Worker.Http;
using System.Net;
public class GetSecretFunction
{
private readonly IConfiguration _configuration;
public GetSecretFunction(IConfiguration configuration)
{
_configuration = configuration;
}
[Function("GetSecret")]
public async Task<HttpResponseData> Run([HttpTrigger(AuthorizationLevel.Function, "get", "post")] HttpRequestData req)
{
// Access the secret as if it were a local setting
string dbPassword = _configuration["MyDatabasePassword"];
var response = req.CreateResponse(HttpStatusCode.OK);
await response.WriteStringAsync($"Retrieved password (length): {dbPassword.Length}");
return response;
}
}
The crucial part is how MyDatabasePassword gets populated in Azure.
First, you need to enable System Assigned Managed Identity for your Azure Function App. Go to your Function App in the Azure portal, navigate to "Identity" under "Settings," and turn "System assigned" to "On." Save it. This creates an identity for your Function App in Azure AD.
Next, go to your Azure Key Vault, navigate to "Access policies" under "Settings." Click "Create" or "Add Access Policy." Under "Secret permissions," select "Get." For "Select principal," search for your Function App’s name. Once found, select it and click "Add," then "Save." This grants your Function App’s managed identity permission to get secrets from this specific Key Vault.
Finally, you need to tell your Function App to use Key Vault for configuration. In your Function App’s "Configuration" under "Settings," add a new "Application setting." The key is AzureKeyVaultConfigurationOptions:Vault. The value should be the URI of your Key Vault (e.g., https://my-keyvault-name.vault.azure.net/).
Now, when your Function App starts, the Azure Functions runtime automatically uses the Function App’s managed identity to authenticate with Key Vault and retrieve any secrets that match the names of your application settings. The IConfiguration provider for Key Vault injects these secrets, making them appear as if they were defined directly in your local.settings.json (or application settings in Azure). You don’t need to write any explicit Key Vault SDK code to fetch the secret; the runtime handles it.
The system is designed to abstract away the direct SDK calls for common scenarios like this. By configuring the Key Vault URI and ensuring the managed identity has the correct permissions, the runtime takes over the authentication and retrieval process, seamlessly injecting secrets into your application’s configuration. This means your code remains cleaner, and sensitive information is managed centrally and securely in Key Vault, with access controlled by Azure AD.
The next step is understanding how to manage different versions of secrets or how to use Key Vault references within other Azure services, like App Configuration.