Azure Functions: Use User-Assigned Managed Identity for Key Vault Reference
  • 29 Jul 2022
  • 1 Minute to read
  • Contributors
  • Comments
  • Dark
    Light
  • PDF

Azure Functions: Use User-Assigned Managed Identity for Key Vault Reference

  • Comments
  • Dark
    Light
  • PDF

#ServerlessTips - Azure Functions
Author: Tidjani Belmansour Azure MVP

Managed Identities in Azure can be seen as managed service accounts for our applications. In addition, these are secured as Azure takes care of the critical rotation, which avoids exposing their credentials anywhere, reducing the risks of security threats by exploiting these accounts.

Managed Identities are still accounts in your Azure AD tenants, though. Hence, you can use them to provide access to your Azure resources (for management purposes) and use them as applications/services identities for permissions purposes (e.g., access to a database).

There are two types of Managed Identities:

System-Assigned: they are assigned to a single resource, and their lifetime is tied to the lifetime of that resource (i.e., if the resource is deleted, so is its system-assigned managed identity)
User-Assigned: a user-assigned managed identity is created by a user and is a resource on its own. It can be assigned to one or many resources, and its lifetime is not tied to any of them. It is useful when multiple resources must share a standard set of permissions.

Managed Identities can be used with various Azure services, including Azure Functions.

However, there’s an issue preventing us from using User-Assigned Managed Identities with Azure Functions.

Fortunately, there’s a way to address this issue, which is by running the following command:

userAssignedIdentityResourceId=$(az identity show -g RgName -n MyUserAssignedIdentityName --query id -o tsv)
appResourceId=$(az webapp show -g RgName -n AppName --query id -o tsv)
az rest --method PATCH --uri "${appResourceId}?api-version=2021-01-01" --body "{'properties':{'keyVaultReferenceIdentity':'${userAssignedIdentityResourceId}'}}"

The most important part is the “patch” method which fixes the issue.


Was this article helpful?