Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon Can I use Managed Identity to access Azure Key Vault from a Function App


Can I use Managed Identity to access Azure Key Vault from a Function App


Yes, you can use Managed Identity to access Azure Key Vault from a Function App. Here's how it works:

1. Enable Managed Identity on the Function App: Navigate to your Azure Function App, go to the Settings section, click on Identity, and turn on the System assigned managed identity. Save the changes[1][4].

2. Assign Permissions to Key Vault: Go to your Azure Key Vault, navigate to Access control (IAM), and add a role assignment. Select the Key Vault Secrets User role and assign it to the managed identity of your Function App[4][7].

3. Access Key Vault Secrets: In your Function App, you can now reference secrets from Key Vault using the managed identity. This is typically done by configuring the secret references in the Configuration settings of your Function App[1][5].

Using Managed Identity provides a secure way to access Key Vault without needing to store credentials in your application code. It allows the Function App to act as a persona with permissions to access other Azure resources, such as Key Vault[6].

There are two types of Managed Identities: System-assigned and User-assigned. System-assigned identities are tied to the lifecycle of the Function App, while user-assigned identities are standalone resources that can be used across multiple applications[3][7]. Both types can be used to access Key Vault, but user-assigned identities require additional configuration to specify which identity to use[5].

Citations:
[1] https://nanddeepn.github.io/posts/2023-06-25-read-key-vault-secret-from-function-mi/
[2] https://www.reddit.com/r/AZURE/comments/1cumd51/how_do_i_get_access_to_key_vault_via_managed/
[3] https://www.red-gate.com/simple-talk/cloud/azure/azure-function-and-user-assigned-managed-identities/
[4] https://www.appgovscore.com/blog/connect-to-microsoft-graph-api-securely-function-app-azure-key-vault
[5] https://stackoverflow.com/questions/76439670/azure-function-app-setting-from-key-vault-accessible-with-system-assigned-identi
[6] https://docs.azure.cn/en-us/azure-functions/functions-identity-based-connections-tutorial
[7] https://learn.microsoft.com/en-us/azure/frontdoor/managed-identity
[8] https://stackoverflow.com/questions/79293711/azure-function-app-using-key-vault-with-managed-identity-not-authorised