Reputation: 23
keyVaultClient - get a secret
I am using Azure function to do an action, in this action I need to get a secret from a keyvault. I am using this code in order to get the secret
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient((authority, resource, scope) => azureServiceTokenProvider.GetAccessTokenAsync(resource));
var secret= await keyVaultClient.GetSecretAsync($"https://{KeyVaultName}.vault.azure.net/", "SecretName");
When I run it locally it's work but when I run the function in azure I am getting an error "Forbidden" How can I get the secret from a keyVault inside my azure function?
Thanks!
Upvotes: 0
Views: 2158
Answers (2)
Reputation: 40
Forbidden might indicate that the identity assumed by the Azure Function does not have access rights over the specific Azure Key Vault.
From the Azure Portal or via CLI/API, head into the relevant Azure Key Vault resource -> Access Policies -> Add Access Policy -> Assign the Azure Function identity with the following permissions:
- Secret List
- Secret Get
Upvotes: 2
Reputation: 16108
Instead of using the KeyVault client inside your Function, you can have it much more simple if you can use KeyVault-referenced AppSettings (depends a bit of course on your scenario if thats an option). https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
Then you can simple use the secret like any setting and read it as an Env variable.
Upvotes: 0
Related Questions
- Either this secret is disabled or you do not have the "Get" secret permission
- Fetching access token for keyvault
- SecretClient - get secret from azure KeyVault
- Accessing AzureKeyVault
- Azure KeyVault Get Secret API responds with 404 or 401 error
- Azure KeyVault Secret Get Throws Authentication Error
- Access Azure Key Vault secret in Azure Function
- Fetching secrets from keyVault from Azure in c#
- Unable to retrieve secret in Azure Function - Access Denied
- Keyvault Authentication (REST API)