Search code examples
azureazure-managed-identity

Azure Function w/ User-Assigned Managed Identity retrieves secrets from Key Vault works locally but fails in Azure Portal

I created an Azure Function that uses user-assigned managed identity to retrieve secrets from an Azure Key Vault. The code works locally when I test in Visual Studio but fails when I publish to the cloud. I have created a 'Managed Identity' resource in Azure and added a 'Key Vault Contributor' role assignment to the managed identity. In my Azure Function under Settings>Identity>User Assigned I have added a reference to the managed identity. Since the code works locally and uses my credentials to authenticate with the Key Vault, I assume I'm missing something in the setup on the Azure Portal. Any guidance would be appreciated. I'm stumped as I've followed MS Documentation to a tee.

Following is the error I receive when testing the function in the Azure Portal. HTTP response code: 500 Internal Server Error Executed 'Function1' (Failed, Id=XXXXXXXXXX, Duration=19ms)Service request failed.Status: 400 (Bad Request)Headers:Date: Mon, 22 Nov 2021 22:02:56 GMTContent-Length:

I am using Azure.Identity to authenticate following the example found here: App Authentication to Azure.Identity Migration Guidance

public static class TestManagedIdentity
{
    [FunctionName("Function1")]
    public static async Task<IActionResult> Run(
        [HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
        ILogger log)
    {
        log.LogInformation("C# HTTP trigger function processed a request.");
        string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
        dynamic data = JsonConvert.DeserializeObject(requestBody);
        string secret = String.Empty;
        string secretName = data.SecretName;

        azureKeyVaultURI = "https://MyKeyVault.vault.azure.net";
        var client = new SecretClient(new URI(azureKeuVaultURI), new DefaultAzureCredential());

        var secret = client.GetSecret(secretName).Value;
        log.LogInformation($"My secret value is {secret}");

        return new OkObjectResult("Success!");
    }
}
Solution

  • I solved this. I was missing a reference to the Azure Managed Identity client ID. Updated the code with the below.

    var client = new SecretClient(new Uri(azureKeyVaultURI), new DefaultAzureCredential( new DefaultAzureCredentialOptions { ManagedIdentityClientId = clientId }));