Azure Key Vault

In order to be able to use Azure Key vault from Azure functions and App Service at first you need to grant permissions to Azure Function app and App Service to read data (in our example we will use Secrets i.e. passwords, app secrets, etc. But you also may use the same technique to access keys and certificates which also may be stored there) from Azure Key vault.

  • At first you need to create System assigned identity. For your Azure function app, navigate to Platform features. For App Service scroll down the Settings group in the left navigation.

  • Select Identity:

Platform features

  • On this page under System assigned tab set Status to On and click Save

System assigned status

  • After that go to Azure Key vault (if you don’t have it yet than create it first) and select Access policies -> Add Access Policy. In opened page select Secret permissions -> Get:
    • if you store keys or certificates in Key vault you have to select appropriate Key or Certificate permissions.

Access policy

  • In Select principal choose name of your Azure Function app. Principal will be available in this field only after creation of Function app principal which we made above.

  • Add Access Policy also for Teamwork App Service.

  • After that your Azure functions and App Service will be able to read values from Azure Key vault. Note that you have to keep it in the following format in app settings:

@Microsoft.KeyVault(SecretUri=https://{key-vault-name}.vault.azure.net/secrets/{secret-name}/{id})
  • Then you may just read this param from app setting and it will be automatically expanded to the actual secret value stored in Key vault.

  • In order to get secret's identifier from Azure Key vault go to Key vault -> Secrets -> Create new secret (e.g. TeamworkServiceAccountPassword) or choose existing secret -> Select current version -> Copy secret identifier:

  • Later when script will ask to enter service account password - paste this value there. Script will warn that it is recommended to use Azure Key vault for storing password instead of plain text:

Note: in order to ensure that access to KeyVault secret is configured properly go to App service > Configuration and click Edit icon for app setting which uses KeyVault references. It should have Status = Resolved: Access policy

If it has error status (e.g. AccessToKeyVaultDenied) then try to delete this setting, save changes, add it again manually and save again. If access was configured properly it should have status resolved after that.