1

I am able to read keyvault secrets through Azure function managed identity using below URI.

@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)

I have provided get and set secrets access to FA managed identity using Keyvault access policy.

How can I update secretes in keyvault making use of Managed identity. I am developing FunctionApp in C# using visual Studio.

Santosh Jindal
  • 51
  • 9
  • What is the error you are getting? Please post the [Minimal and Reproducible](https://stackoverflow.com/help/minimal-reproducible-example) code. – user1672994 Aug 04 '21 at 04:42
  • I cant find anyway to perform this, I was able to read via following this content : https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#reference-syntax – Santosh Jindal Aug 04 '21 at 07:54
  • The example you have put in your question is for binding the application setting with Keyvault. If you need feature to update the Keyvault then looks for using `KeyVaultClient` --- https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-net – user1672994 Aug 04 '21 at 12:05
  • Thanks! But to avoid storing Keyvault credentials in my configuration, I want to use Managed Identity hence looking for a solution to Get and Set secrets in Kevault. – Santosh Jindal Aug 04 '21 at 13:43
  • according to this the secret cannot be updated. Makes sense I suppose in case something else is relying on that secret https://stackoverflow.com/questions/48907912/azure-key-vault-how-to-update-the-secrets – codebrane Aug 04 '21 at 14:57
  • You add a new version of the secret in Key Vault that contains the updated information. and it becomes the default version. That previous post is misleading. – Matt Small Aug 04 '21 at 15:13
  • 1
    @SantoshJindal - `KeyVaultClient` or `SecretClient` supports the Managed Id credential. Check [this](https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-net#authenticate-and-create-a-client) – user1672994 Aug 05 '21 at 04:37

1 Answers1

2

Use the Secrets SDK at this location: https://learn.microsoft.com/en-us/azure/key-vault/secrets

You can create a secrets client, and use the SetSecret API.

Here's a very rudimentary example I wrote using Node.JS: https://github.com/udayxhegde/keyvault_managedid_node

You can do something similar with .NET & c# with roughly these lines of code.

using System;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;


#in code snippets below, kvuri is your keyvault uri
#client_id is id of your managed identity
var client = new SecretClient(new Uri(kvUri), new ManagedIdentityCredential(client_id));
await client.SetSecretAsync(secretName, secretValue);
Makyen
  • 31,849
  • 12
  • 86
  • 121
udayxhegde
  • 311
  • 1
  • 6
  • Thanks @udayxhedge. This works when I deploy it on functionApp. Any suggestions how to debug it on local.Also what if difference if use SecretClient client = new SecretClient(new Uri(uri), new DefaultAzureCredential()) – Santosh Jindal Aug 05 '21 at 00:57
  • 1
    You can use DefaultAzureCredential() as well. If you are using a SystemAssigned ManagedIdentity, you don't need to pass the client_id. The DefaultAzureCredential should also help you with debug on local, since it will try several other credential options, and the AzureCliCredential or VisualStudioCodeCredential are 2 good options for local debug. Take a look at the updated code in github repo link above, I updated it to show an example of ChainedTokenCredential to help with local debug, which is another option for you. – udayxhegde Aug 05 '21 at 04:31
  • Performance is a big issue.Do you know how to overcome that? – Santosh Jindal Oct 01 '21 at 16:41