Skip to content

KeyVault Secret in Azure Function

KeyVault Secret in Azure Function 2022

Some time ago I discovered that for added security and convenience you can use secrets from KeyVault in Azure function configuration. Sensitive data is more secure and less people can access it.


First, we create KeyVault and enter a secret into it. When we’re done, copy the ‘Secret Identifier‘ we’ll need later.

Azure Key Vault Secrets
Azure key vault copy secret identifier


Now we can create AppFunction. For the app to be able to download secrets from KeyVault, click ‘Add / Edit application setting‘, enter any name and enter the value @Microsoft.KeyVault(SecretUri=<KeyVault_ Secret_Identifier>)

AppFunction - configuration
AppFunction - configuration add KeyVault secret
AppFunction - configuration

For Azure App Function to read the secret, you still need to create an identity for the function and grant it permissions in KeyVault. We create the identity by changing the status to ON and clicking save. We copy ‘Object ID‘ will be needed later.

appfunction identity

We open KeyVault and add a policy by clicking on ‘add Access Policy‘. We only give the necessary Get and List permissions for Secrets, in select principal we add ‘Object ID‘ to our Azure AppFunction.

Azure KeyVault Policies

If we did everything right, then after clicking refresh in the configuration of our function, we should see the value of Key vault Reference with a green mark.

Azure AppFunction KeyVault Reference

More information on Azure function can be found here

More information on Key Vault can be found here

If you liked the article, see also my other posts