A while ago I wrote about how to retrieve configuration settings for an Azure Function App from the Key Vault. This approach had the benefit that settings are loaded early enough in the start-up procedure, to also be available to retrieve configuration settings for function bindings.

Unfortunately, this approach also has a number of downsides:

  • Lately, I have been running into intermittent issues with this approach lately. In some cases the settings failed to load from the Key Vault in time, resulting in start-up errors of the Function App. These are not only annoying, but can also be hard to troubleshoot.
  • The workaround to only load the settings when a Managed Identity is available and not when running locally, is not so clean. Next to being not clean, it also makes for a difference in behavior between running locally and deployed. A possible source of issues.
  • The app configuration in the portal (or better: in your ARM template) does not list all the settings the application uses. One of more of them are being side-loaded from the Key Vault. This makes that it is less transparent for new members of the team which settings the application really needs.

Luckily, a new approach to loading secrets from an Azure Key Vault has become available. As an setting configuration you can now specify a reference to an Key Vault secret using the following syntax:

@Microsoft.KeyVault(SecretUri=https://<keyvaultname>.vault.azure.net/secrets/<secretname>/)

Please note the slash at the end! This slash is mandatory to reference the last version of the secret. Optionally, you can specify a specific version by specifying it after the slash. Leaving the slash completely out, makes that the reference will not work.

Now whenever this syntax is encountered by the App Service runtime as a setting, it will automatically use your App Services Managed Identity to retrieve the secret from the Key Vault (just as my previous solution did that in user code). In the portal you can even track the status of this look-up, where it is displayed as successful or not:

Of course this syntax can also be used in ARM templates and I have moved almost all my applications over to this approach now. An example of the syntax for ARM templates is as follows:

{
  "apiVersion": "2015-08-01",
  "name": "appsettings",
  "type": "config",
  "dependsOn": [
    "[variables('functionsAppName')]",
    "[variables('secretName')]"
  ],
  "properties": {
    "AuditDbConnectionString": "[concat('@Microsoft.KeyVault(SecretUri=https://', variables('keyVaultName'), '.vault.azure.net/secrets/', variables('secretName'), '/)')]"
  }
}

I hope you enjoy this new feature as much as I do and happy coding! 🙂