Key Vault references setup for Azure Functions

While getting access to Key Vault could be implemented in code level, one of the recommended practices, is to use Key Vault references. This is mainly for simplicity and security, as there is no need to configure the function app to make additional calls to KeyVault.

1. Navigate to the Function App and search for the Identity settings. Copy the Object ID.

2. Go to KeyVault secrets and create the secret

3. Create a new access policy on KeyVault. Choose Secret Management template and give Get permission.
On Select Principal field paste the ObjectId from step 1.

4. On the Function app go to configuration and enter the following value in the secrets you want to retrieve from KeyVault.

Example :

@Microsoft.KeyVault(VaultName=notifications-keyvault;SecretName=CosmosDbAuthKey)

5. Add the Custom Domain IP to the Allowlist

In case there is a custom domain setup then it needs to be whitelisted in KeyVault.

Go to the function app and copy the domain IP:

Go to the KeyVault and enter the IP in the Firewall rules.

Please note that the IP addresses can change when the function is stopped, started or scaled. To avoid this situation, the function app can be configured with a Virtual Network Address Translation (NAT). By adding the subnet under Virtual Networks, all outbound connectivity uses the specified static public IP addresses. This will ensure that the Function app will always be able to access the Key Vault. More info here.