Key Vault¶
Access Key Vault secrets from functions with managed identity and least-privilege role assignments.
flowchart LR
A[Trigger] --> B[Function]
B --> C[Binding or SDK]
C --> D[Azure service]Topic/Command Groups¶
Assign identity and role¶
az functionapp identity assign --name "$APP_NAME" --resource-group "$RG"
az role assignment create --assignee-object-id "<object-id>" --role "Key Vault Secrets User" --scope "/subscriptions/<subscription-id>/resourceGroups/$RG/providers/Microsoft.KeyVault/vaults/$KEYVAULT_NAME"
Read secret from function¶
var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
var response = await client.GetSecretAsync("DbPassword");
var secretValue = response.Value.Value;