How to reference a key-vault secret in a part of the connection string in Azure Functions/apps

Question

I'm setting up the connection string to a service bus in the app settings of an Azure function. Currently, I'm storing the entire connection string in Key Vault and referencing the Key Vault secret in the app settings. That's working fine. But what I'm trying to do without success is to store the Service Bus key only and not the whole connection string in the key vault.

I've tried to concatenate the connection string to the KeyVault reference app settings in the portal as below

Endpoint=sb://xxxxx.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=@Microsoft.KeyVault(SecretUri=xxxx.vault.azure.net/secrets/yyyy/zzzzz)

But this isn't working.

The reason I need to do this separation, is that I would like to rotate the keys in the key vault, and I can't do that if the whole connection string is stored in the key vault.

UPDATE1:

Splitting the connection string into multiple app setting keys can work for this problem but it would limit my ability to use, let say, service bus triggered azure functions which required the name of the full connection string key in app settings inside the Run method signature as below

public static void Run(
    [ServiceBusTrigger("myqueue", AccessRights.Manage, Connection = "ServiceBusConnection")] 
    string myQueueItem
    ILogger log)

UPDATE 2:

The work around I've done so far, which I hope I can do a cleaner approach is to use regex in my automation Powershell to replace only the SharedAccessKey portion of the connection string. This way, I'm only using one app setting for the connection string. It's working, but I'm not comfortable with it.

This is the code I'm using in my Automation Runbook:

$azureAutomationConnectionName = "AzureRunAsConnection"
$servicePrincipalConnection = Get-AutomationConnection -Name $azureAutomationConnectionName         

Add-AzureRmAccount -ServicePrincipal -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 

$resourceGroupName = 'XXXX'
$serviceBusName = 'XXXX'
$serviceBusAccessPolicyName = 'RootManageSharedAccessKey'
$keyVaultName = 'XXXX'
$keyVaultSecretKey = 'XXXX'

$currentSecret = (Get-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretKey).SecretValueText

# Regenerate the Service Bus Primary Key
New-AzureRmServiceBusKey -ResourceGroupName $resourceGroupName -Namespace $serviceBusName -Name $serviceBusAccessPolicyName -RegenerateKey PrimaryKey

# Get the newly regenerated Primary Key
$newPrimaryKey = (Get-AzureRmServiceBusKey -ResourceGroupName $resourceGroupName -Namespace $serviceBusName -Name $serviceBusAccessPolicyName).PrimaryKey

# The secret is storing the entire connection string. We want to replace the SharedAccessKey Only
$newSecretStr = $currentSecret  -replace 'SharedAccessKey=[^;]*', ([string]::Format('SharedAccessKey={0}',$newPrimaryKey))

# Convert the Primary Key to Secure String
$newSecureSecretStr = ConvertTo-SecureString $newSecretStr -AsPlainText -Force

# Update the Secret Value in the Key Vault
Set-AzureKeyVaultSecret -VaultName $keyVaultName -Name $keyVaultSecretKey -SecretValue $newSecureSecretStr

Answer 1

I don't think you can do that, just the app setting with the syntax @Microsoft.KeyVault(...) will be recognized as Key Vault Reference. Otherwise, it just will be recognized as a normal string without the second half in the screenshot.

In your case, the workaround is to store the service bus connection string as two independent app setting, when you use it, splice them together via code.

For example, one is Endpoint=sb://xxxxx.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=, another one is @Microsoft.KeyVault(SecretUri=xxxx.vault.azure.net/secrets/yyyy/zzzzz). You can also store the first one as a secret in the keyvault, it depends on you.