Add binding to Key Vault

Functions often need password, API keys, and connection strings to connect to other services and retrieve data. It would be great if those secrets could easily be obtained from Key Vault.

398 votes

Anonymous shared this idea · June 04, 2016 · Flag idea as inappropriate… · Admin →

completed ·

AdminAzure App Service team (Product Owner, Microsoft Azure) responded · October 15, 2019

Hi all,

Thank you all for the comments and feedback. We’re very pleased to announce that support for Key Vault references is now generally available! You can find the update here: https://azure.microsoft.com/updates/general-availability-of-key-vault-references-in-app-service-and-azure-functions/

The work certainly doesn’t stop here. We are looking to add support for additional networking configurations, and work is underway for rotation handling (making the version string optional). Please consider putting votes towards these features as well! They are captured below.

Rotation: https://feedback.azure.com/forums/169385/suggestions/36532414

Firewall/ServiceEndpoints: https://feedback.azure.com/forums/355860/suggestions/38817385

Again, thanks for all of the input on this item. It really does make a difference.

- Matthew

Show previous admin responses (3)

started ·

AdminAzure Functions team (Product Owner, Microsoft Azure) responded · November 28, 2018

Hi all,

We’re pleased to announce a public preview of our Key Vault references feature, which you can learn more about here: https://azure.microsoft.com/en-us/blog/simplifying-security-for-serverless-and-web-apps-with-azure-functions-and-app-service/

There are some limitations to the initial preview, but we’re hoping to address those very soon. We’re looking forward to your feedback!

Thank you,
Matthew, Azure Functions team

started ·

AdminAzure App Service team (Product Owner, Microsoft Azure) responded · October 18, 2018

Hi all,

This will be available this calendar year.

I want to clarify that it is not planned as a separate binding, but rather as a core capability that applies to all bindings. This means that all secrets used for binding configuration (and any others, too) can be sourced from Key Vault. The design involves the app setting value being a reference to a secret in Key Vault, so all you would need to do is make a change to App Settings. The platform will use the managed identity of the application to resolve the secret and make it available to code. The initial release will require secret versions to be explicitly defined, but we are hoping to develop automatic rotation semantics for future updates.

Thanks to everyone for all of the active discussion here. We understand this is an incredibly important and long-anticipated feature, and we’re really looking forward to getting it into your hands soon.

Matthew, Azure Functions team

under review ·

AdminAzure App Service team (Product Owner, Microsoft Azure) responded · August 08, 2016

This is a good idea. We’ll look at this later when we’re ready to start adding more bindings (likely after we GA).

52 comments

An error occurred while saving the comment

Dimka M commented · June 29, 2017 17:00 · Flag as inappropriate

This is really needed. More importantly a caching mechanism is required so that keyvault does not get overwhelmed with requests when function infinitely scales. (see discussion here: https://github.com/Azure/azure-webjobs-sdk/issues/746)

Submitting...
Nathan Anderson commented · June 27, 2017 03:14 · Flag as inappropriate

ping for update.

Submitting...
Anonymous commented · June 09, 2017 06:45 · Flag as inappropriate

Has this been implemented by any chance. All clients want to maintain their security information in Key Vault

Submitting...
Ahmet Arsan commented · May 21, 2017 06:32 · Flag as inappropriate

Can't use Functions without this. This is an absolute must. ETA?

Submitting...
Adam Modlin commented · May 16, 2017 13:34 · Flag as inappropriate

Any updates here? My customer requires all connection strings be stored in KeyVault and this is a problem for using functions.

Submitting...
Parry Kitchner commented · May 11, 2017 04:01 · Flag as inappropriate

Add this binding and Azure Function usage will hit an all new high! It would be great not to have to re-store the secrets in the App Config.

Submitting...
Gary Mitchell commented · April 17, 2017 09:07 · Flag as inappropriate

Any idea when this might become available? I really need it. The cert approach didn't get approved by IT Security.

Submitting...
Henrik commented · April 06, 2017 06:24 · Flag as inappropriate

A necessary feature, and overall great idea. Examples of securables are tokens (like Github, Slack) and certificates.

Submitting...
Joshua Toon commented · March 17, 2017 10:43 · Flag as inappropriate

This would be great.

Submitting...
Gerald Wiltse commented · February 17, 2017 21:02 · Flag as inappropriate

Food for thought, this recent development in .NET Core might reduce the amount of custom code you need for this.

https://docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration#controlling-access-to-the-clientsecret

Submitting...
Gerald Wiltse commented · January 18, 2017 22:12 · Flag as inappropriate

I believe I read somewhere that this had basically been accepted and if so, this is just a ping to update status here.

Submitting...
San G commented · November 15, 2016 20:53 · Flag as inappropriate

There is no feature in azure functions to azure key vault integration for Trigger and Outputs connection strings.

Please suggest any alternative solutions for this feature.

Submitting...