KeyVault integration with Azure Functions (powershell runtime) not working

Question

I am trying to follow this https://azure.microsoft.com/en-us/blog/simplifying-security-for-serverless-and-web-apps-with-azure-functions-and-app-service/ to securely get my secret from my key-vault when using azure functions.

My key vault has an access policy that allows getting secrets by the SYSTEM MANAGED IDENTITY of the functions app.

Here's the relevant app setting as shown in the advanced editor (does not matter if slotSetting is true or false, already tried it. Not sure what it does btw)

{
    "name": "ultrasecret",
    "value": "@Microsoft.KeyVault(SecretUri=https://<vault-name>.vault.azure.net/secrets/<secret-name>/<version>)",
    "slotSetting": true
}

Here's the scaffolded version of my one and only function, have a look at the IF block below to see me querying the key-vault, indirectly via the environment variable that exposes the key vault secret.

using namespace System.Net

# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)

# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."

# Interact with query parameters or the body of the request.
$name = $Request.Query.Name
if (-not $name) {
    $name = $Request.Body.Name
}

if ($name) {
    $status = [HttpStatusCode]::OK
    $secret = $env:ultrasecret
    $body = "Hello $name $secret"
}
else {
    $status = [HttpStatusCode]::BadRequest
    $body = "Please pass a name on the query string or in the request body."
}

# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
    StatusCode = $status
    Body = $body
})

When I make a GET request to

https://<function-app-name>.azurewebsites.net/api/HttpTrigger1?name=john

this is what is returned

Hello john @Microsoft.KeyVault(SecretUri=https://<vault-name>.vault.azure.net/secrets/<secret-name>/<version>)

So basically I am returning the literal setting's value, instead of the secret. Is this because Powershell support is in preview? Anyone else got it working?

Any help is greatly appreciated.

Answer 1

If you want to access key vault secret in Azure Function, you have two choices.

• Set it as environment variables

If you want to set Azure Key vault secret as environment variables, you can complete it with Azure CLI. For more details, please refer to https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings.

az functionapp config appsettings set -n testfun08 -g testfun07 --settings "Secret1=@Microsoft.KeyVault(SecretUri=<$secretId>)"

• Use Azure key Vault REST API

If you want to get the value of your Azure key vault with Azure Key Vault REST API please follow the detailed steps as below.

1. Configure MSI
2. Configure Azure Key Vault access policy

    Connect-AzAccount

    $app=Get-AzADServicePrincipal -DisplayName "your function app name"

    Set-AzKeyVaultAccessPolicy -VaultName "your key vault name" -ResourceGroupName "your group name" -ObjectId $app.Id -PermissionsToSecrets list, get

3. Code

using namespace System.Net

# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)

# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."

# Interact with query parameters or the body of the request.
$name = $Request.Query.Name
if (-not $name) {
    $name = $Request.Body.Name
}

if ($name) {
# get access token with MSI. For more details, please refer to https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity#rest-protocol-examples
    $tokenAuthURI = $Env:MSI_ENDPOINT +"?resource=https://vault.azure.net&api-version=2017-09-01"
   $tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
# get secret value
$headers = @{ 'Authorization' = "Bearer $accessToken" }
$queryUrl = "the url of secret" + "?api-version=7.0"

$keyResponse = Invoke-RestMethod -Method GET -Uri $queryUrl -Headers $headers
$value= $keyResponse.value
Write-Host "$vaule"  
    $status = [HttpStatusCode]::OK
    $body = "Hello $name $value"
}
else {
    $status = [HttpStatusCode]::BadRequest
    $body = "Please pass a name on the query string or in the request body."
}

# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
    StatusCode = $status
    Body = $body
})

For more details, please refer to Key Vault returns 401 with access token (MSI PowerShell Function App)

Update

How to check if we set app settings successfully via Kudu

Answer 2

I had the same error on code similar to yours, and I found resolving a permission error took care of the problem.

Under Platform features --> Configuration look at the source column for your setting and check if it is valid. You can edit the item to get a detailed error message for the entry.

Valid

Error

In my case the function app did not have permission to access the key vault.

Using the Azure portal open the function app blade

1. Select the Platform features tab.
2. Select Identity.
3. Within the System assigned tab, switch Status to On.
4. Click Save.
5. Copy the Object ID to the clipboard.

Navigate to the key vault

1. select Access policies.
2. Add Access Policy
3. Under secrets, select GET, LIST.
4. Under select principal, paste the Object ID.
5. Select your function app name.
6. Click Add.
7. Click save.

Return to your function app and verify the reference is valid under Platform features --> Configuration.

See: Adding a system-assigned identity