This is just a follow up on this post: https://azure.microsoft.com/en-us/blog/simplifying-security-for-serverless-and-web-apps-with-azure-functions-and-app-service/ for a bit more clarification on the roles and policies required in KeyVault to make this work.

The enable an Azure Function to access secrets in KeyVault you have to do the following:

  1. Create a system assigned managed identity to the Function. Just go to Platform Features in your Function and select Identity and enable the System assigned identity – remember to click save!
  2. Giving the role “Managed Application Reader” to the managed identity of the Function.
    1. Go to KeyVault and click on “Access control (IAM) in the menu and click on “Role assignments”.
    2. If you want to see existing App/Functions that have assignments select “App Services or Function Apps” from the Type dropdown menu.
    3. Click on Add and select the “Managed Applications Reader” from the Role drop down menu.
    4. Type in the name of your Function and select it from the menu – make sure you select the actual identity of the Function – see the icon in the screendump below.
    5. Click on save.
      Adding roles to KeyVault
  3. Assigning at least the “Get Secret” policy to the service principle of the managed identity.
    1. Click on “Access policies” in the KeyVault menu
    2. Click on Add and click on the “Select principal” fly out menu and type in the name of your Function
    3. This time it’s the service principal we want to select – click on it and click on select
    4. From the “Secret permissions” drop down menu select at least the “Get” permission.
    5. Click on OK.
      Adding policies to KeyVault

You’re done and you should now be able to get secrets from your KeyVault in your application settings in your Function.