Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

MSINotEnabled - Can't use KeyVault Reference in Azure Function

Tags:

azure

azure-functions

azure-keyvault

azure-managed-identity

I'm trying to use a User Assign Managed Identity to retrieve access in KeyVault reference in Azure Function.

enter image description here

I'm following this doc https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#:~:text=you%20haven%27t%20already.-,Configure,-the%20app%20to to reference the keyvault in the application configuration.

I followed these steps:

  1. Created User Assign Managed Identity.

  2. Created a policy in Keyvault and gave permissions GET and LIST to User Assign Managed Identity.

  3. Set the User Assign Managed Identity in Azure Function Identity

  4. Set properties application setting like this:

  • mysecureapp - @Microsoft.KeyVault(SecretUri=https://mykv.vault.azure.net/secrets/mysecret/id)
  • keyVaultReferenceIdentity - /subscriptions/subsid/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mgid

Any thoughts on this?

like image 967
Magno Oliveira Avatar asked Dec 18 '25 15:12

Magno Oliveira

2 Answers

wow !

I'm also searching the same topic for user identity and the same issue. I just followed the marked answer , its worked and able to retrieve the value.

Thanks @ Magno Oliveira to bring this question to the community.

just need to run the CLI command in azure portal ! give resource group name and useridentity name and function app name to the below command

userAssignedIdentityResourceId=$(az identity show -g resourcegroupname -n manageidenityname --query id -o tsv)
appResourceId=$(az webapp show -g resourcegroupname -n functionappname --query id -o tsv)
az rest --method PATCH --uri "${appResourceId}?api-version=2021-01-01" --body "{'properties':{'keyVaultReferenceIdentity':'${userAssignedIdentityResourceId}'}}"
like image 60
sridhar badri Avatar answered Dec 20 '25 11:12

sridhar badri

I realized that in addition to setting the property keyVaultReferenceIdentity via app-setting, we need to change this property of the same name in the resource function. The default value is SystemAssign if you enable it. Unfortunately the MS documentation is unclear on this.

I found the property that can be used in the terraform documentation, follow the link: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#:~:text=key_vault_reference_identity_id

After setting this property to the value of User Assign Managed Identity this worked fine.

like image 39
Magno Oliveira Avatar answered Dec 20 '25 12:12

Magno Oliveira

Sign in to Comment

Related questions

The term 'Add-AzureAccount' is not recognized
How to differentiate between branch trigger and the scheduled trigger in azure DevOps build pipeline
csrun & cspack - what's the purpose of sitePhysicalDirectories?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!