3

I have a Function App with Managed service identity (MSI) enabled.

I'm trying to use this Function App to access a secret from my Key Vault.

I have added the code into my Function App to retrieve the secret.

AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();

var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

var secret = await keyVaultClient.GetSecretAsync("https://test-prototype-vault.vault.azure.net/secrets/batman/guidhere").ConfigureAwait(false);

I receive the following error:

Microsoft.Azure.WebJobs.Script: One or more errors occurred. Microsoft.Azure.KeyVault: Access denied.

I think this is because I need to (as described in the link above).

You may need to configure the target resource to allow access from your application. For example, if you request a token to Key Vault, you need to make sure you have added an access policy that includes your application's identity.

I don't know how to do that. I have gone to my Key Vault and tried to add an Access Policy - I can't find the application to Select Principle option.

Setup of Azure Function.

enter image description here

What happens when I try to add the principal.

enter image description here

James Wood
  • 17,286
  • 4
  • 46
  • 89

1 Answers1

4

This blog has details but you need to go into key vault and give the function app access to secrets in a new access policy

https://medium.com/@jeffhollan/getting-key-vault-secrets-in-azure-functions-37620fd20a0b

The name of your function app should show in list of users

jeffhollan
  • 3,139
  • 15
  • 18
  • That's the bit I'm struggling with I think. I've added some images to my question so you can see. – James Wood Dec 18 '17 at 16:42
  • Hmmm the unknown error is strange but it is the right spot. Can you try in Incognito mode and see if a local cache issue? – jeffhollan Dec 18 '17 at 16:43
  • Same result, different error; "An error has occured. Please try again later" – James Wood Dec 18 '17 at 16:46
  • Hmm could also give permissions via CLI but you’d need to browse your Azure active directory first and get the application ID for the function app to use in the command. Not sure why you are seeing that error. https://learn.microsoft.com/en-us/azure/key-vault/key-vault-manage-with-cli#authorize-the-application-to-use-the-key-or-secret – jeffhollan Dec 18 '17 at 16:56
  • Should that application show under Azure AD > App Registrations? (It doesn't). – James Wood Dec 18 '17 at 17:00
  • Also, checked a different Azure, same result for same steps – James Wood Dec 18 '17 at 17:10
  • I don't want to say it's down at the minute, but we are seeing the same thing. I followed the same steps a few days ago and they worked – Josh Dec 18 '17 at 19:47
  • 1
    @JamesWood it should show up under Enterprise Applications (AKA Service Principals) – juunas Dec 18 '17 at 19:48
  • Mine don't show up in EA either. It's either an MSI bug or a portal bug. Assignment screen returns 500 error if you watch network traffic – Josh Dec 18 '17 at 20:04
  • Got it working. It appears under enterprise applications - had to set all filters to 'all'. Once I had the application Id I was able to use Azure CLI to setup the required settings. https://learn.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest#az_keyvault_set_policy – James Wood Dec 18 '17 at 22:31