Troubleshooting Azure Key Vault References in Azure Function Apps

A handy guide for dummies to troubleshoot Azure Key Vault reference errors in Functions App

Dhyan Rathore's avatar

Dhyan Rathore

3–5 minutes
, , ,
Photo by Niclas Gustafsson on Unsplash

Azure Key Vault provides a great advantage of keeping your credentials, keys, and secret safe and centralized. However, the real power of the Key Vault sprawls in the seamless integration with various Azure components.

The primary benefit of referencing Key Vault secrets in Function Apps lies in enhanced security and reduced maintenance. The secrets can be updated in the Key Vault and are immediately available in the App.

This article will present few lessons learned while working with Key Vault references.

Prerequisites

  1. An active Microsoft Azure subscription
  2. Azure Key Vault with secrets
  3. Azure Functions App (with broken Key Vault references)

It’s easy to set up the linkage between the Key Vault and the Functions App. Just 4 minutes of reading, a few well-defined steps from Microsoft Docs, and you’re ready. Hooray! But wait, why is my code-breaking?

It turns out it can get a little complicated than that. Let us see how does a failed, and a successful reference looks like. Click the corresponding pencil icon to check the current resolution status.

Okay. But…I don’t know how to set up references!

A Secure way to use Credentials and Secrets in Azure Functions
Failed and successfully resolved Key Vault references (Image by author)

The Essentials

For a successful resolution of the references, three conditions are absolute.

Identity

Your app should have a system-assigned managed identity to be able to connect to your Key Vault. Ensure that your app has a system-assigned identity.

Functions App: System assigned identity (Image by author)

At the time of writing, Azure Key Vault reference only supports system-assigned managed identities.

Access policies

The app should have the correct (Get) permissions to read the credentials stored in the Vault. Check the Vault Access policies for your app.

Azure Key Vault: Access policies (Image by author)

Network access

Your app should be able to reach the Key Vault to be able to resolve a reference successfully. If you see the warning related to the ‘network access control’ on your Vault’s Access policies settings, ensure your App’s IP address is allowed through the Vault’s firewall.

The Basics

Before we delve into specifics, let’s talk about the basic information you need to make it work.

Presence

The secret you’re trying to get must exist in the Vault and should be referenced accurately. Ensure the secret exists; the best way would be to copy the secret identifier string from the Vault.

Syntax

An Azure Key Vault reference is of the form @Microsoft.KeyVault({referenceString}), where {referenceString} is the secret identifier, either in the URI or a key-value form.

#URI form:
@Microsoft.KeyVault(SecretUri=https://myVault.vault.azure.net/secrets/mySecretX/mySecretXVersion)

#Key-value form
@Microsoft.KeyVault(VaultName=myVault;SecretName=mySecretX;SecretVersion=mySecretXVersion)

The Errors

InvalidSyntax

InvalidSyntax is probably the most straight-forward error status. Check and correct the syntax.

InvalidSyntax: Error (Image by author)

Could not access key vault reference metadata

Inaccessible reference metadata is a specialized syntax error. The error is shown on the Configuration page rather than on the Add/Edit application setting blade. Check and correct the syntax of the reference syntax (an example is shown below).

Could not access key vault reference metadata: Error (Image by author)
Could not access key vault reference metadata: Example resolution (Image by author)

AccessToKeyVaultDenied

AccessToKeyVaultDenied error signifies that your app is unable to reach the secrets stored in the Key Vault. The likely reasons could be:

  • Your app can’t reach the Key Vault — add your app’s IP (available under Custom domains) to your Key Vault’s firewall (under Networking).
  • Your app doesn’t have the correct permission to read your secrets — assign the correct (Get) permission to your app to read the appropriate credentials from the Vault.
AccessToKeyVaultDenied: Error (Image by author)
AccessToKeyVaultDenied: Add App IP to Vault’s firewall (Image by author)

SecretNotFound

The incorrect name of the secret causes SecretNotFound. The secret name should be the same as it appears in the Vault (case-insensitive).

SecretNotFound: Error (Image by Author)

MSINotEnabled

MSINotEnabled is caused by the absence of a managed identity for your app. Enable the system-assigned identity for your app.

MSINotEnabled: Error (Image by author)

OtherReasons

One of the inherent resolutions for this error is to verify the secret version in the reference string. The secret version GUID should match exactly with the Vault (case-insensitive).

OtherReasons: Error (Image by author)

Initialized

We had face-to-face with the Initialized error. It was a misfortune encounter, and we haven’t made notable progress yet.

Initialized: Error (Image by author)

Pro Tip

If you’re replacing an existing variable with the Vault reference — delete the environment variable and create it again with the Vault reference.

Conclusion

We learned the necessities and rules to successfully reference Azure Key Vault secrets in the Functions App as environment variables. We presented a few common errors and their resolutions. Setting up the Key Vault references is quite simple and straightforward.

Leave a comment

Categories

Timeline