Key Vault Reference for Azure Function App Config not working properly

Question

I am using Terraform to provision Function App and have provided few app configs which are referencing Key Vault Keys. But when i try to reference : "AzureWebJobsStorage" & "AzureWebJobsDashboard", it doesn't pick the reference from KV and instead takes them as App Service Config. The other configs are taken from KV reference as shown in the screenshot. Any idea why this is not taken as a KV reference

My TF Code for the config for Func App is shown below :

app_settings = {
    "WEBSITE_DNS_SERVER"                    = "168.63.129.16"
    "WEBSITE_VNET_ROUTE_ALL"                = "1"
    "APPINSIGHTS_INSTRUMENTATIONKEY"        = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-default-func-instrumentation-key)", module.key-vault.key_vault.self.name)
    "APPLICATIONINSIGHTS_CONNECTION_STRING" = format("@Microsoft.KeyVault(VaultName=%s;SecretName=appi-func-connection-string)", module.key-vault.key_vault.self.name)
    "WEBSITE_ENABLE_SYNC_UPDATE_SITE"       = "true"
    "WEBSITE_RUN_FROM_PACKAGE"              = "1"
    "AzureWebJobsStorage"                   = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
    "AzureWebJobsDashboard"                 = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
    "applicationStorage"                    = format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name)
    "Func-App-ID"                           = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Function-App-ID)", module.key-vault.key_vault.self.name)
    "Func-App-Secret"                       = format("@Microsoft.KeyVault(VaultName=%s;SecretName=Function-App-Secret)", module.key-vault.key_vault.self.name)

  }

The screenshot from my Function App Configuration is attached also

Does this answer your question? [Can Azure Key Vault be used with Functions to store the connection string for queue triggers?](https://stackoverflow.com/questions/59956664/can-azure-key-vault-be-used-with-functions-to-store-the-connection-string-for-qu) — Vova Bilyachat, Feb 23 '22 at 00:13
Can you check whether the values of AzureWebJobsDashboard and AzureWebJobsStorage referencing directly the connection string? If so, can you change them to key vault secret and check if the source changes to key vault reference — RamaraoAdapa, Feb 23 '22 at 08:05
@RamaraoAdapa-MT What i have noticed is if i put the reference as format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-PrimaryKey)", module.key-vault.key_vault.self.name), it takes the entire connection string , but shows as "App Service Config". If i put : format("@Microsoft.KeyVault(VaultName=%s;SecretName=StorageAccount-FunctionApp-ConnectionString-PrimaryKey)", module.key-vault.key_vault.self.name) , it shows the same output as the other one with App Service Config — Pallab, Feb 23 '22 at 14:58
Both of them shows in the app config like this : DefaultEndpointsProtocol=https;AccountName=storageaccountname;AccountKey=storageaccountkey;EndpointSuffix=core.windows.net — Pallab, Feb 23 '22 at 14:59
Have you tried to change the values to format("@Microsoft.KeyVault(VaultName=KeyVaultName;SecretName=StorageAccount-FunctionApp-PrimaryKey)") in the Azure Portal — RamaraoAdapa, Feb 24 '22 at 05:47

score 0 · Accepted Answer · answered Feb 24 '22 at 06:58

The Azure Functions runtime uses the AzureWebJobsStorage connection string to create internal queues

When Application Insights is not enabled, the runtime uses the AzureWebJobsDashboard connection string to log to Azure Table storage and power the Monitor tab in the portal

AzureWebJobsStorage and AzureWebJobsDashboard are created in the Application Settings by default while creating the Azure Function App

So, these are created as App Service Config as Source

After the creation of Function App, you can edit the values of AzureWebJobsStorage and AzureWebJobsDashboard as key vault secrets

Then the values will be changed with Key Vault Reference as Source

Yes you are right. I have edited the settings from the portal and now it is showing KV reference for both the values, WebJobsStorage and WebJobsDashboard. Thanks for that. Appreciate your help — Pallab, Feb 24 '22 at 16:20

Key Vault Reference for Azure Function App Config not working properly

1 Answers1