How can we improve Microsoft Azure Functions?

← Azure Functions

Allow Key Vault references to access secrets behind Key Vault Firewall

Key Vault references cannot currently be used to access secrets in a vault that has been configured with Key Vault Firewall / service endpoints.

It should be possible to resolve secrets from Vaults configured this way (provided the web app / function app is configured with the right VNET integration).

71 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

AdminAzure App Service team (Product Owner, Microsoft Azure) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

12 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Steven Dian commented  ·   ·  Flag as inappropriate

    Would VERY much like this capability added ASAP - lets at least get a preview rolling soon.

  • Andres commented  ·   ·  Flag as inappropriate

    For anyone interested, the whitelist approach does work to allow serverless apps to reference keyvault values. In the portal, in your functions app sidebar -> custom domains, grab that IP and whitelist it. Better than disabling the firewall!

  • Oskari commented  ·   ·  Flag as inappropriate

    Would it be possible to enlighten us with some estimate. This is a big inconvenience for almost every enterprise environment as we need a ton of boilerplate in our code as internet facing keyvaults are a nono.

  • Deyan Petrov commented  ·   ·  Flag as inappropriate

    Just came across another issue - EventHubTrigger with Connection property pointing to a Configuration Setting which is a Key Vault Reference.

    My workaround (resolve explicitly the setting using the Key Vault SDK) does not work here, as there is no way how to dynamically/manually resolve this setting programmatically ... so what should I do here??

    Why would anyone ship Key Vault References without consider security - this is beyond my understanding ..

  • Anonymous commented  ·   ·  Flag as inappropriate

    Any updates on it?

    After a big time investment in moving 20+ functions from Consumption to Premium Plan just to be able to set Vnet Integration now I am hitting this issue :(((

  • Divyajeet Singh commented  ·   ·  Flag as inappropriate

    Hi All,

    I was working on exact same thing for one of my project. You documentation says that it is currently not supported. But I was able to see the logs populating in Key Vault from an Azure DC range. Once I whitelisted that IP it started working.

    My point is if it is not supported then service (WebApp) should not be making calls to Key Vault at all.
    But if service (WebApp) is making a call then the IP address should be defined only from the Outbound ranges that WebApp is supposed to make call from.

    I am happy that you are working on this feature but I have a bigger concern on above mentioned comment.

    - Divyajeet Singh

  • Antonio Miron commented  ·   ·  Flag as inappropriate

    Any ETA on this? The requirement to leave a Key Vault exposed to the whole internet to grab the credentials from an Azure Function renders the function unacceptable for any organization with a set of minimum security requirements, i.e., it's not a viable product.

Azure Functions: Feature

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice