Using Azure KeyVault secrets from functions – ARM template setup

Microsoft “recently” announced a new way of using key vault secrets that does not require any additional coding. Previously, you had to write your own webjobstartup class and initialize the key vault there. You can use these secrets in an ARM template like this:

They will be translated by the function runtime into the matching key vault secret – with version. Then you can use MSI to allow the function app access to the keyvault by setting

on the function app resource in the ARM template. Finally, you want to give the function apps SP access to the keyvault in the access policies:

Reason I did this in a separate element and not under the accessPolicies in the keyvault resource is that otherwise you’ll have a circular dependency between the keyvault wanting to generate the access policy for the function apps SP and then function app requiring a secret from the vault.

Leave a Reply

Your email address will not be published. Required fields are marked *