Add binding to Key Vault

Functions often need password, API keys, and connection strings to connect to other services and retrieve data. It would be great if those secrets could easily be obtained from Key Vault.

398 votes

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

We’ll send you updates on this idea

Anonymous shared this idea · Jun 4, 2016 · Flag idea as inappropriate… · Admin →

completed ·

AdminAzure App Service team (Product Owner, Microsoft Azure) responded · Oct 15, 2019

Hi all,

Thank you all for the comments and feedback. We’re very pleased to announce that support for Key Vault references is now generally available! You can find the update here: https://azure.microsoft.com/updates/general-availability-of-key-vault-references-in-app-service-and-azure-functions/

The work certainly doesn’t stop here. We are looking to add support for additional networking configurations, and work is underway for rotation handling (making the version string optional). Please consider putting votes towards these features as well! They are captured below.

Rotation: https://feedback.azure.com/forums/169385/suggestions/36532414

Firewall/ServiceEndpoints: https://feedback.azure.com/forums/355860/suggestions/38817385

Again, thanks for all of the input on this item. It really does make a difference.

- Matthew

Show previous admin responses (3)

started ·

AdminAzure Functions team (Product Owner, Microsoft Azure) responded · Nov 28, 2018

Hi all,

We’re pleased to announce a public preview of our Key Vault references feature, which you can learn more about here: https://azure.microsoft.com/en-us/blog/simplifying-security-for-serverless-and-web-apps-with-azure-functions-and-app-service/

There are some limitations to the initial preview, but we’re hoping to address those very soon. We’re looking forward to your feedback!

Thank you,
Matthew, Azure Functions team

started ·

AdminAzure App Service team (Product Owner, Microsoft Azure) responded · Oct 18, 2018

Hi all,

This will be available this calendar year.

I want to clarify that it is not planned as a separate binding, but rather as a core capability that applies to all bindings. This means that all secrets used for binding configuration (and any others, too) can be sourced from Key Vault. The design involves the app setting value being a reference to a secret in Key Vault, so all you would need to do is make a change to App Settings. The platform will use the managed identity of the application to resolve the secret and make it available to code. The initial release will require secret versions to be explicitly defined, but we are hoping to develop automatic rotation semantics for future updates.

Thanks to everyone for all of the active discussion here. We understand this is an incredibly important and long-anticipated feature, and we’re really looking forward to getting it into your hands soon.

Matthew, Azure Functions team

under review ·

AdminAzure App Service team (Product Owner, Microsoft Azure) responded · Aug 8, 2016

This is a good idea. We’ll look at this later when we’re ready to start adding more bindings (likely after we GA).

52 comments

Add a comment…

Attach a File

(thinking…)

Microsoft

Forgot password?

Create a password

Signed in as (Sign out)

Submitting...

An error occurred while saving the comment

Brandon Hurlburt commented · February 10, 2020 8:17 AM · Flag as inappropriate

May want to check this out? https://github.com/brandonh-msft/Azure-Functions-KeyVault-Binding

Submitting...
Daniel commented · September 25, 2019 2:45 PM · Flag as inappropriate

Can we also not specify the version for the secret? One of the big perks of the key vault is the ability to update a secret without making any other changes.

Submitting...
Daniel Ferreira commented · August 6, 2019 1:52 AM · Flag as inappropriate

Oh my gosh, this is urgently needed!

Submitting...
Penberthy, Jonathon (GE Aviation) commented · May 13, 2019 9:16 AM · Flag as inappropriate

ServiceBus trigger function, creds in the config, FAIL!

Submitting...
Srikanth commented · May 10, 2019 7:20 AM · Flag as inappropriate

It's been more than 6 months now.. Is it still in public preview? This is some thing that can not really wait so long :)

Submitting...
Mahesh Nagaiah commented · December 27, 2018 1:38 AM · Flag as inappropriate

We are looking forward for the General availability dates of this feature. Can you please share the same?

Submitting...
Brett Caswell commented · November 7, 2018 1:59 PM · Flag as inappropriate

is the KeyVaultSample in the github source of Microsoft.Extensions.Configuration package a suitable workaround for this?

https://www.nuget.org/packages/Microsoft.Extensions.Configuration/

also,
Is your recommendation to still use EnvironmentVariables (as stated in the last paragraph here: https://docs.microsoft.com/en-us/azure/azure-functions/functions-dotnet-class-library#environment-variables )

Submitting...
Chris Thompson commented · October 19, 2018 4:04 AM · Flag as inappropriate

ooo, this is nice... assume it's only for functions v2.0 ?

Submitting...
Geek Squad Tech Support commented · October 19, 2018 3:45 AM · Flag as inappropriate

Well, I must appreciate your efforts in writing blogs. They are informative. But, also keep your website updated with antivirus. For relevant help contact Geek Squad Tech Support. https://geeksquad-usa.com/

Submitting...
Boris Wilhelms commented · October 8, 2018 1:06 PM · Flag as inappropriate

I have created a nuget package, that integrates Azure KeyVault into Azure Functions (MSI enabled, can be used with AutoResolve and AppSettings properties, etc). Feel free to test and give feedback :-)

https://github.com/BorisWilhelms/azure-function-keyvault

Submitting...
Vinny commented · September 10, 2018 7:55 AM · Flag as inappropriate

Any news on this feature ? We're using Azure Functions v2 with MSI and accessing secrets within the function works. However, now I require those secrets to also be accessible in the trigger bindings for eventhub and servicebus connections due to security reasons. When can we expect this feature?

Submitting...
Hacinto Moen commented · August 14, 2018 4:58 AM · Flag as inappropriate

Looking forward to this!

Submitting...
Anonymous commented · August 13, 2018 5:09 AM · Flag as inappropriate

Come on, 2018 and still not implemented? It makes Az Funcs useless ..

Submitting...
Anonymous commented · August 3, 2018 12:52 AM · Flag as inappropriate

Any updates on this. We are using EventHubTrigger in Azure Functions, but it requires binding connection string into local.settings.json whereas we have all our applications migrated to KeyVault secrets. We would like to follow the same approach with Azure Functions but it doesn't seem supported for now. Can you please provide this feature as soon as possible, as already Azure Functions 2.0 (~beta) is already out and in use.

Submitting...
Jacque de Kock commented · July 31, 2018 3:16 AM · Flag as inappropriate

Very high in demand. We often have to over complicate infrastructure to achieve this function. Cannot wait for it to be available.

Submitting...
Akshay Kochhar commented · July 27, 2018 12:50 AM · Flag as inappropriate

Please support this

Submitting...
srinivasu commented · July 25, 2018 10:50 PM · Flag as inappropriate

Please support at the earliest (MSI enabled function and secret Uri in trigger binding)

Submitting...
Steve Haeney commented · June 29, 2018 2:10 AM · Flag as inappropriate

Just to echo what many are saying. Without KeyVault access directly in the bindings, you're unlikely to be able to use Azure Functions with Queues/Topics in the Enterprise.

Storing the connection string in plain text in the configuration is a no-go

Submitting...
Vivek Desai commented · June 27, 2018 4:43 PM · Flag as inappropriate

Upvoting this request. from the Aug 2016 reply it seems this is being interpreted as a request to add Keyvault as a new binding ("when we’re ready to start adding more bindings"). What is really required to to have existing bindings resolve secrets from a Keyvault configuration source rather than looking to resolve them from json or env variables only.

The Keyvault + Managed Service Identity is an excellent combination, but without the ability of bindings like cosmosdb, storage table etc to retrieve connection strings from key vault source, it is becoming impossible to use Key vault and MSI for Azure Functions.

Submitting...
Tom Castiglia commented · May 28, 2018 11:16 PM · Flag as inappropriate

Wow, surprised to see this is not supported yet. Hope the Azure App Service Team can respond soon with an update/ETA.

Submitting...