I created an Azure Function that uses user-assigned managed identity to retrieve secrets from an Azure Key Vault. The code works locally when I test in Visual Studio but fails when I publish to the cloud. I have created a 'Managed Identity' resource in Azure and added a 'Key Vault Contributor' role assignment to the managed identity. In my Azure Function under Settings>Identity>User Assigned I have added a reference to the managed identity. Since the code works locally and uses my credentials to authenticate with the Key Vault, I assume I'm missing something in the setup on the Azure Portal. Any guidance would be appreciated. I'm stumped as I've followed MS Documentation to a tee.
Following is the error I receive when testing the function in the Azure Portal. HTTP response code: 500 Internal Server Error Executed 'Function1' (Failed, Id=XXXXXXXXXX, Duration=19ms)Service request failed.Status: 400 (Bad Request)Headers:Date: Mon, 22 Nov 2021 22:02:56 GMTContent-Length:
I am using Azure.Identity to authenticate following the example found here: App Authentication to Azure.Identity Migration Guidance
public static class TestManagedIdentity
{
[FunctionName("Function1")]
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
dynamic data = JsonConvert.DeserializeObject(requestBody);
string secret = String.Empty;
string secretName = data.SecretName;
azureKeyVaultURI = "https://MyKeyVault.vault.azure.net";
var client = new SecretClient(new URI(azureKeuVaultURI), new DefaultAzureCredential());
var secret = client.GetSecret(secretName).Value;
log.LogInformation($"My secret value is {secret}");
return new OkObjectResult("Success!");
}
}
I solved this. I was missing a reference to the Azure Managed Identity client ID. Updated the code with the below.
var client = new SecretClient(new Uri(azureKeyVaultURI), new DefaultAzureCredential( new DefaultAzureCredentialOptions { ManagedIdentityClientId = clientId }));