Make azure function to read the connection string from Azure key vault after published into azure portal not from application settings

Question

I want the azure functions to use the connection string that is stored in azure key vault, not from application settings in azure portal.

I have stored the secret in azure portal and fetching it using the below code in Startup.cs file, but it is not working.

Below is code piece I have tried:

Startup.cs

public override void Configure(IFunctionsHostBuilder builder)
    {
        // Reading connection string from app settings, (but I don't want this method)
        // var configuration = Environment.GetEnvironmentVariable("SQL:ConnectionString");
        
        var configuration = AzureKeyVault.GetSecretKey();

        builder.Services.AddHttpClient();
        
        Server.Module.Load(builder.Services, configuration);
    }

AzureKeyVault Class

public class AzureKeyVault
    {
        public static String GetSecretKey()
        {
            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var keyVault = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            var secretKey = Task.Run(async () => await keyVault.GetSecretAsync("https://somesecreturl.azure.net/", "mysecretkeyname")).Result;
            var connectionString = secretKey.Value;
            return connectionString;
        }
    }

The above code works fine in local, but after deploying it is not picking the connection string from azure key vault (for which I have written code), but I am getting an error Function host is not running

When I add connection string in application settings, function app is working fine with Environment.GetEnvironmentVariable("SQL:ConnectionString")

I am a newbie in azure. Azure functions are designed in a way that it can able to read the connection string only from application settings alone?

Any help would be highly appreciated. Thanks!

Answer 1

Key Vault Access

Since it is working for you locally (I assume the local instance of the function uses your AZ CLI identity with your account that has access to Key Vault, because you have added that secret beforehand), I believe your issue might be connected with granting Key Vault Access for your Function App. Please make sure you have granted the access as described here: https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#granting-your-app-access-to-key-vault.

Key Vault References

If my assumption is correct and you are trying to hide the secret in Key Vault rather than storing it as plain-text in App Settings, you can always insert a reference like:

@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)

as your application setting and then you will be able to read it in your application just like it would be a regular env variable:

var configuration = Environment.GetEnvironmentVariable("SQL:ConnectionString");

This will make your code much simpler and will allow you to decide in the future if you want to take configuration from another service (for example App Configuration Service) without any code changes to your app.

Note: using reference will not fix your access issue, you need to fix that first anyways.