Sergio Solorzano
Reputation: 665
Function app can't read key vault secrets - bad request
I have setup a function app with system managed identiy and a key vault that has set access policies to Get, List, Set, Delete, Recover for this function app set as principal:
I have tried these snippets but all gave me the same error:
Test 1:
var secretUriString = "https://keyvaultname.vault.azure.net";
Uri keyvaultUri = new System.Uri(secretUriString);
var credential = new ManagedIdentityCredential();
SecretClient keyVaultClient = new SecretClient(keyvaultUri, credential);
var secret = await keyVaultClient.GetSecretAsync(SecretURI(secretnamestring))
.ConfigureAwait(false);
Test 2:
var secretUriString = "https://keyvaultname.vault.azure.net";
Uri secretUri = new System.Uri(secretUriString);
SecretClient keyVaultClient = new SecretClient(secretUri, new DefaultAzureCredential());
var secret = await keyVaultClient.GetSecretAsync(SecretURI(secretnamestring))
.ConfigureAwait(false);
I run a function in this function app on azure or locally and I get this error:
[2022-12-03T10:16:16.824Z] Executed 'functionInTheFunctionApp' (Failed, Id=39df84b7-3b9a-410d-8d93-af5424fa745e, Duration=506ms)
[2022-12-03T10:16:16.824Z] System.Private.CoreLib: Exception while executing function: UserAccessProcessios3. Azure.Security.KeyVault.Secrets: Service request failed.
[2022-12-03T10:16:16.825Z] Status: 400 (Bad Request)
[2022-12-03T10:16:16.826Z]
[2022-12-03T10:16:16.826Z] Content:
[2022-12-03T10:16:16.827Z] <!DOCTYPE html>
[2022-12-03T10:16:16.827Z] <html>
[2022-12-03T10:16:16.828Z] <head>
[2022-12-03T10:16:16.829Z] <title>Runtime Error</title>
[2022-12-03T10:16:16.829Z] <meta name="viewport" content="width=device-width" />
[2022-12-03T10:16:16.830Z] <style>
[2022-12-03T10:16:16.831Z] body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
[2022-12-03T10:16:16.832Z] p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
[2022-12-03T10:16:16.832Z] b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
[2022-12-03T10:16:16.833Z] H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
[2022-12-03T10:16:16.834Z] H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
[2022-12-03T10:16:16.835Z] pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}
[2022-12-03T10:16:16.835Z] .marker {font-weight: bold; color: black;text-decoration: none;}
[2022-12-03T10:16:16.836Z] .version {color: gray;}
[2022-12-03T10:16:16.836Z] .error {margin-bottom: 10px;}
[2022-12-03T10:16:16.837Z] .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
[2022-12-03T10:16:16.838Z] @media screen and (max-width: 639px) {
[2022-12-03T10:16:16.838Z] pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }
[2022-12-03T10:16:16.839Z] }
[2022-12-03T10:16:16.840Z] @media screen and (max-width: 479px) {
[2022-12-03T10:16:16.840Z] pre { width: 280px; }
[2022-12-03T10:16:16.841Z] }
[2022-12-03T10:16:16.842Z] </style>
[2022-12-03T10:16:16.842Z] </head>
[2022-12-03T10:16:16.843Z]
[2022-12-03T10:16:16.843Z] <body bgcolor="white">
[2022-12-03T10:16:16.844Z]
[2022-12-03T10:16:16.844Z] <span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>
[2022-12-03T10:16:16.845Z]
[2022-12-03T10:16:16.845Z] <h2> <i>Runtime Error</i> </h2></span>
[2022-12-03T10:16:16.846Z]
[2022-12-03T10:16:16.847Z] <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">
[2022-12-03T10:16:16.848Z]
[2022-12-03T10:16:16.848Z] <b> Description: </b>An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
[2022-12-03T10:16:16.849Z] <br><br>
[2022-12-03T10:16:16.850Z]
[2022-12-03T10:16:16.850Z] <b>Details:</b> To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".<br><br>
[2022-12-03T10:16:16.851Z]
[2022-12-03T10:16:16.851Z] <table width=100% bgcolor="#ffffcc">
[2022-12-03T10:16:16.852Z] <tr>
[2022-12-03T10:16:16.853Z] <td>
[2022-12-03T10:16:16.853Z] <code><pre>
[2022-12-03T10:16:16.854Z]
[2022-12-03T10:16:16.854Z] <!-- Web.Config Configuration File -->
[2022-12-03T10:16:16.855Z]
[2022-12-03T10:16:16.855Z] <configuration>
[2022-12-03T10:16:16.856Z] <system.web>
[2022-12-03T10:16:16.857Z] <customErrors mode="Off"/>
[2022-12-03T10:16:16.857Z] </system.web>
[2022-12-03T10:16:16.858Z] </configuration></pre></code>
[2022-12-03T10:16:16.858Z]
[2022-12-03T10:16:16.859Z] </td>
[2022-12-03T10:16:16.859Z] </tr>
[2022-12-03T10:16:16.860Z] </table>
[2022-12-03T10:16:16.861Z]
[2022-12-03T10:16:16.861Z] <br>
[2022-12-03T10:16:16.862Z]
[2022-12-03T10:16:16.862Z] <b>Notes:</b> The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.<br><br>
[2022-12-03T10:16:16.863Z]
[2022-12-03T10:16:16.864Z] <table width=100% bgcolor="#ffffcc">
[2022-12-03T10:16:16.864Z] <tr>
[2022-12-03T10:16:16.865Z] <td>
[2022-12-03T10:16:16.866Z] <code><pre>
[2022-12-03T10:16:16.866Z]
[2022-12-03T10:16:16.867Z] <!-- Web.Config Configuration File -->
[2022-12-03T10:16:16.868Z]
[2022-12-03T10:16:16.868Z] <configuration>
[2022-12-03T10:16:16.869Z] <system.web>
[2022-12-03T10:16:16.869Z] <customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
[2022-12-03T10:16:16.870Z] </system.web>
[2022-12-03T10:16:16.870Z] </configuration></pre></code>
[2022-12-03T10:16:16.871Z]
[2022-12-03T10:16:16.871Z] </td>
[2022-12-03T10:16:16.872Z] </tr>
[2022-12-03T10:16:16.873Z] </table>
[2022-12-03T10:16:16.873Z]
[2022-12-03T10:16:16.874Z] <br>
[2022-12-03T10:16:16.874Z]
[2022-12-03T10:16:16.875Z] </body>
[2022-12-03T10:16:16.875Z] </html>
[2022-12-03T10:16:16.876Z]
[2022-12-03T10:16:16.876Z]
[2022-12-03T10:16:16.877Z] Headers:
[2022-12-03T10:16:16.878Z] Cache-Control: private
[2022-12-03T10:16:16.878Z] X-Content-Type-Options: REDACTED
[2022-12-03T10:16:16.879Z] Strict-Transport-Security: REDACTED
[2022-12-03T10:16:16.880Z] Date: Sat, 03 Dec 2022 10:16:16 GMT
[2022-12-03T10:16:16.880Z] Content-Type: text/html; charset=utf-8
[2022-12-03T10:16:16.881Z] Content-Length: 3420
[2022-12-03T10:16:16.882Z] .
AppInsight inner log doesn't guide me what the problem is:
Microsoft.Azure.WebJobs.Host.FunctionInvocationException:
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor+<ExecuteWithLoggingAsync>d__26.MoveNext (Microsoft.Azure.WebJobs.Host, Version=3.0.34.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35: C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:352)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor+<TryExecuteAsync>d__18.MoveNext (Microsoft.Azure.WebJobs.Host, Version=3.0.34.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35: C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:108)
Inner exception Azure.RequestFailedException handled at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw:
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest (Azure.Security.KeyVault.Secrets, Version=4.4.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8)
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest (Azure.Security.KeyVault.Secrets, Version=4.4.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8)
at Azure.Security.KeyVault.Secrets.SecretClient.GetSecret (Azure.Security.KeyVault.Secrets, Version=4.4.0.0, Culture=neutral, PublicKeyToken=92742159e12e44c8)
at functionapprojectname.HelperMethods+<GetKVPassword>d__24.MoveNext (functionapprojectname, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null: C:\directory\Function1.cs:3386)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at functionappprojectname.Function1+<UserAccessProcessios3>d__9.MoveNext (functionappprojectname, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null: C:\directory\Function1.cs:4313)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.Azure.WebJobs.Host.Executors.FunctionInvoker`2+<InvokeAsync>d__10.MoveNext (Microsoft.Azure.WebJobs.Host, Version=3.0.34.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35: C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionInvoker.cs:52)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor+<InvokeWithTimeoutAsync>d__33.MoveNext (Microsoft.Azure.WebJobs.Host, Version=3.0.34.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35: C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:581)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor+<ExecuteWithWatchersAsync>d__32.MoveNext (Microsoft.Azure.WebJobs.Host, Version=3.0.34.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35: C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:527)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult (System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.Azure.WebJobs.Host.Executors.FunctionExecutor+<ExecuteWithLoggingAsync>d__26.MoveNext (Microsoft.Azure.WebJobs.Host, Version=3.0.34.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35: C:\projects\azure-webjobs-sdk-rqm4t\src\Microsoft.Azure.WebJobs.Host\Executors\FunctionExecutor.cs:306)
Packages installed in latest VS2022:
Upvotes: 0
Views: 1109
Answers (1)
Mohit Ganorkar
Reputation: 2078
Here in the
getSecretAsynctry passing the name of the secret as a string.Here just like you I created an azure function and added the permission for it in the azure key vault. Here I have a http trigger which will return the secret from the key vault. Also the secret value here is
hello world
Mycode:
var cred = new ManagedIdentityCredential();// new DefaultAzureCredential();
var client = new SecretClient(new Uri("<Key Vault URL >"),cred);
var secret = await client.GetSecretAsync("Name of Secret ").ConfigureAwait(false);
Upvotes: 1
Related Questions
- Key Vault Reference in Azure Function not resolved
- Read Azure Key Vault Secret from Function App
- Unable to access private keycertificate from Azure function app
- Access Denied when accessing Azure Key vault from Azure Functions
- Azure functions key vault app settings not working
- Unable to Access Azure Key Vault from Function - Returns Forbidden
- Unable to retrieve secret in Azure Function - Access Denied
- Key Vault returns 401 with access token (MSI PowerShell Function App)
- How to give MSI enabled Function App access to Key Vault?
- Azure Function error - 'The Keys feature is not available because Authentication/Authorization is enabled for this Function App.'