Azure Functions can authenticate to other Azure services without needing to manage credentials in code, thanks to Managed Identity Bindings.
Let’s see this in action. Imagine an Azure Function that needs to read a secret from an Azure Key Vault.
First, we need to enable a System-assigned Managed Identity for our Azure Function. In the Azure portal, navigate to your Function App, then under "Settings," select "Identity." Choose "System assigned" and click "Save." This registers an identity for your Function App in Azure Active Directory.
Next, we grant this identity permissions to access the Key Vault. Go to your Key Vault, navigate to "Access policies," and click "+ Create." Select "Key" and "Secret" permissions (or whatever is needed for your specific scenario). In the principal selection, search for your Function App’s name and select it. Click "Add" and then "Save."
Now, in your Function App’s function.json file, you define the binding. For a Key Vault secret, it would look something like this:
{
"scriptFile": "__init__.py",
"bindings": [
{
"name": "req",
"type": "httpTrigger",
"direction": "in",
"authLevel": "function",
"methods": [
"get",
"post"
]
},
{
"name": "res",
"type": "http",
"direction": "out"
},
{
"name": "mySecret",
"type": "keyVault",
"direction": "in",
"secretName": "my-application-secret",
"vaultName": "my-key-vault-name",
"identity": "system"
}
]
}
The identity: "system" tells the binding to use the Function App’s system-assigned managed identity. The secretName and vaultName point to the specific secret you want to retrieve.
In your Python function code, you can then access the secret directly:
import logging
import azure.functions as func
def main(req: func.HttpRequest, mySecret: str) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
# mySecret is now available as a string
secret_value = mySecret
logging.info(f"Retrieved secret: {secret_value}")
return func.HttpResponse(
"Secret retrieved successfully!",
status_code=200
)
When the function runs, the Azure Functions host automatically acquires a token on behalf of the Function App’s managed identity and uses it to authenticate with Key Vault. The secret is then injected directly into your function’s parameters. This eliminates the need to store Key Vault URIs or secrets in application settings or code, significantly improving security.
The identity property in the binding can also be set to user if you’re using a User-assigned Managed Identity. This is useful when you need to share a single identity across multiple Function Apps or when you want more granular control over the identity’s lifecycle. When using a User-assigned identity, you’ll need to specify the identityId property in your function.json with the resource ID of the user-assigned managed identity.
The primary advantage is the elimination of credential management. Instead of dealing with connection strings, API keys, or certificate thumbprints, you’re simply declaring that your function needs to access a resource, and the platform handles the secure authentication. This is particularly powerful for scenarios where your function interacts with multiple Azure services, such as Azure Blob Storage, Azure Cosmos DB, or Azure Service Bus. The bindings abstract away the underlying authentication protocols (like OAuth 2.0) and token acquisition, making your code cleaner and more secure.
What most people don’t realize is that the keyVault binding parameter vaultName can actually be the full Key Vault URI (e.g., https://my-key-vault-name.vault.azure.net/) instead of just the name. This can be helpful if you have multiple Key Vaults in different regions and want to be explicit about which one you’re targeting, or if you’re migrating your Key Vault.
The next step in securing your Azure Functions is to explore how to use managed identities for outbound calls to custom APIs that support Azure AD authentication.