Allow Key Vault references to access secrets behind Key Vault Firewall
Key Vault references cannot currently be used to access secrets in a vault that has been configured with Key Vault Firewall / service endpoints.
It should be possible to resolve secrets from Vaults configured this way (provided the web app / function app is configured with the right VNET integration).

We are still planning to deliver this. Some preliminary work is underway, but we’ll wait to switch to the “Started” status until a few things are further along and we have a better sense of the timeline.
22 comments
-
Jonas Sandbekk commented
Any updates on this? Is it possible to add the inbound IP address to the firewall and use that? Seems to be working, but it's also in the outbound IP list, so unsure if it's actually a solution or something that will come back to bite us.
-
Anonymous commented
Any idea when this will be available? Whitelisting web app IPs is not acceptable in my organisation
-
Filipe Ines commented
When we use Vnet Integration in the Azure Functions and a keyVault with firewall enabled for the Azure Function Vnet, the following behaviour happens:
In the azure portal, Azure Function/configuration/application settings, if we try to create a new entry with a reference to a keyvault secret it will give an error, "Key Vault reference was not able to be resolved because site was denied access to Key Vault", on the other way, inside the function code, we can access the keyvault secret using the following statement or similar:
var secretValue = await KeyVault.GetSecret(System.Environment.GetEnvironmentVariable("KeyVaultUrl"), "s30cosmosdbhs1-URL");We would appreciate, that it must be possible to access keyvault, from the configuration of the app setting as it is possible from the code inside a function
-
Carlos Mendible commented
Any update or ETA on this? This has become a huge road blocker to implement secure solutions in many of my customers with high security requirements (i.e. financial & health)
-
Nathan Manzi commented
Echoing others here, this is an extremely important requirement for us with a large project to migrate apps into Azure.
-
stephen stroud commented
Spent a while trying to figure out why the secrets weren't resolving... a needed feature!
-
Pope, Kyle (GE Aviation, US) commented
We just hit this today too. Last update was almost a year ago, can we please get an update on when this will be planned so we can communicate this to our management?
-
Bartosz Kwiecinski commented
What is the ETA on this feature. It is really important from our organization.
-
Collis, Matthew commented
An eta would be great. As others have mentioned, opening up keyvault is not an option for a security conscious company. Also, whitelisting the public function IP should not be necessary with vnet integrated functions....
-
Takekazu Omi commented
What is the ETA on this?
-
Steven Dian commented
Would VERY much like this capability added ASAP - lets at least get a preview rolling soon.
-
Anonymous commented
Andres, great tip and it works :)
-
Andres commented
For anyone interested, the whitelist approach does work to allow serverless apps to reference keyvault values. In the portal, in your functions app sidebar -> custom domains, grab that IP and whitelist it. Better than disabling the firewall!
-
Oskari commented
Would it be possible to enlighten us with some estimate. This is a big inconvenience for almost every enterprise environment as we need a ton of boilerplate in our code as internet facing keyvaults are a nono.
-
Anonymous commented
What is the ETA on this?
-
Arunprasath Senthikumararaj commented
When it is scheduled to provide this functionality ?
-
Deyan Petrov commented
Just came across another issue - EventHubTrigger with Connection property pointing to a Configuration Setting which is a Key Vault Reference.
My workaround (resolve explicitly the setting using the Key Vault SDK) does not work here, as there is no way how to dynamically/manually resolve this setting programmatically ... so what should I do here??
Why would anyone ship Key Vault References without consider security - this is beyond my understanding ..
-
Anonymous commented
Any updates on it?
After a big time investment in moving 20+ functions from Consumption to Premium Plan just to be able to set Vnet Integration now I am hitting this issue :(((
-
Divyajeet Singh commented
Hi All,
I was working on exact same thing for one of my project. You documentation says that it is currently not supported. But I was able to see the logs populating in Key Vault from an Azure DC range. Once I whitelisted that IP it started working.
My point is if it is not supported then service (WebApp) should not be making calls to Key Vault at all.
But if service (WebApp) is making a call then the IP address should be defined only from the Outbound ranges that WebApp is supposed to make call from.I am happy that you are working on this feature but I have a bigger concern on above mentioned comment.
- Divyajeet Singh
-
Denise commented
Any updates on this?