1

I have set up a separate test environment to try to retrieve app secrets from azure key vault. The @Microsoft.KeyVault(...) reference in Application Settings is not resolving to either the secret or the text of the reference when the test function is run to return environment variables.

Following this documentation to create an app service and authenticate it against the key vault, I have created a managed identity for my function, added that to AAD, created a specific access policy for this managed identity with the Get Secret scope in my key vault, and tried both with/without enabling the Read scope with the application as a user.

Running the diagnostic tool to resolve function app application setting references yields no errors. Entering the application setting as either @Microsoft.KeyVault(SecretUri=SecretUri)

or

@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion={version})

does not appear to change anything. I've waited up to a half hour for changes in settings to replicate across Azure and ensure that the changes I've made are persistent.

Here is my function app to return environment variables (written in python):

import json
import logging
import os
import azure.functions as func


def main(req=None) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    try:
        name = [os.environ["CLIENTID"]]
    except:
        name=dict()

        for d in os.environ:
            name[d]=os.environ[d]
    if name:
        return func.HttpResponse("Params\n{}".format(json.dumps(name, sort_keys=True, indent=4)))
    else:
        return func.HttpResponse(
             "Please pass a name on the query string or in the request body",
             status_code=400
        )

I expected to be able to pull the environment variable CLIENTID. Instead, grabbing that variable fails and all environment variables are returned. I return all environment variables on purpose if I cannot return the singular variable since I wanted to make sure I captured it if the variable was renamed or there was a typing/case sensitivity issue.

HelpfulHound
  • 326
  • 2
  • 9

1 Answers1

7

I have the same issue as you, I enabled MSI for my function and grant all permission of access policy in azure key vault , but it denied my access : enter image description here enter image description here

I removed "CLIENTID" item in appsettings , save the update and create the "CLINETID" item again , save the update . Once the appsettings has been updated successfully, click edit button , you can see its state is has been solved : enter image description here Test Result : enter image description here Hope it helps .

Stanley Gong
  • 11,522
  • 1
  • 8
  • 16
  • Thank you for looking in to this. However, my references are showing as "Resolved" and my function app is still failing to return CLIENTID. All environment variables are returned. Beyond changing req=None to the standard req=func.HttpRequest, has anything changed from my implementation to yours? What packages are in your requirements.txt? I'm worried I may be missing a key management package or something. – HelpfulHound Sep 26 '19 at 14:21
  • Welcome . It is really odd that your function can resolve secret from key vault but can not return it ... I just copy and paste your codes and published to my function and it works me perfectly. All the things all I have done here is : Creating key vault and app based python function =>enabled MSI for my function and configed access policy for this MSI in key vault => configed "CLIENTID" in key vault and save it to function appsettings => Publish your code from my local , then all works for me , I have not imported additional packages , it is empty in my requirement.txt... – Stanley Gong Sep 27 '19 at 01:49
  • Seems the all thing that you can do is checking the existance of "CLIENTID" key in your appsettings or follow my steps to create a new function to try again ... – Stanley Gong Sep 27 '19 at 01:50
  • I will be taking a closer look at my environment this coming week. Thank you for the help! Marked as answer. – HelpfulHound Sep 29 '19 at 15:19
  • Can I ask you: how or where do you see the "Key Vault reference details"? Are they shown directly below the add / edit application settings? – Felice Anno Mar 02 '20 at 14:40
  • Hi @FeliceAnno, Yes you are right .When you click edit button , you can see it – Stanley Gong Mar 02 '20 at 14:45
  • @StanleyGong i noticed it only shows up when you use a system assigned identity (i was using a user assigned identity) - thank you! – Felice Anno Mar 02 '20 at 15:09