Add binding to Key Vault
Functions often need password, API keys, and connection strings to connect to other services and retrieve data. It would be great if those secrets could easily be obtained from Key Vault.
Thank you all for the comments and feedback. We’re very pleased to announce that support for Key Vault references is now generally available! You can find the update here: https://azure.microsoft.com/updates/general-availability-of-key-vault-references-in-app-service-and-azure-functions/
The work certainly doesn’t stop here. We are looking to add support for additional networking configurations, and work is underway for rotation handling (making the version string optional). Please consider putting votes towards these features as well! They are captured below.
Again, thanks for all of the input on this item. It really does make a difference.
Tom Kerkhove commented
@Tsahi Whetever you do, do not cache secrets in a persistent cache/storage outside of Key Vault :)
You can always access Key Vault directly from the Key Vault SDK, and even cache the results in Storage Tables if you like. And restrict access to it on a need-to-know basis only.
Denis Oliana commented
It would be great if there was an update: I don't think, that this is still under review, after 1.5 years ;-)
Ciaran Colgan commented
Hi - if we can't have ServiceBus Triggered Functions having built in integration with KeyVault or something that allows us to actually connect to ServiceBus without storing the ServiceBus connection string, then these are effectively useless in any kind of secure deployment. This is a real showstopper for us, it basically invalidates our use of ServiceBus.
Connor Dickson commented
Azure Functions needs to have this functionality to be considered production ready. It's not acceptable to have to store connection strings in AppSettings. It's a good start to have integration with MSI like WebApps. Using this MSI to connect directly to services such as ServiceBus and KeyVault to configure bindings is a must
Jonathan Boarman commented
Here's an additional place to make your voice heard on this: https://github.com/Azure/azure-webjobs-sdk/issues/746
Murray Foxcroft commented
Any progress on retrieving binding connections from KV?
Petro Sasnyk commented
Without such functionality Azure Functions is a useless toy.
Any update on this? we need to store queue connection string in Key-Vault for Queue based Azure function.
Jonathan Rubin Yaniv commented
What is that status of this?
We would really like to have it working in the near future.
I think that Managed Service Identity is something that allows accessing key vault. Maybe not as easily as with binding bug still...
Hitae Shin commented
any updates on this? this is a must have.
Dimka M commented
Still need this.
Jeremiah Isaacson commented
Necessary for the enterprise.
Why hasn't there been an update on this? I can't use Azure Functions if connection strings and other secrets have to be stored in clear text
Ronny Khan commented
Abdullah Kuzhan commented
Hi, is there any update on this?
Steve Velcev commented
Hello Microsoft, please could you provide your clients with an update to if this feature has been implemented yet?
Any change in status for this? Almost a year since "under review".
Dimka M commented
This is really needed. More importantly a caching mechanism is required so that keyvault does not get overwhelmed with requests when function infinitely scales. (see discussion here: https://github.com/Azure/azure-webjobs-sdk/issues/746)