Allow Key Vault references to access secrets behind Key Vault Firewall
Key Vault references cannot currently be used to access secrets in a vault that has been configured with Key Vault Firewall / service endpoints.
It should be possible to resolve secrets from Vaults configured this way (provided the web app / function app is configured with the right VNET integration).
We are still planning to deliver this. Some preliminary work is underway, but we’ll wait to switch to the “Started” status until a few things are further along and we have a better sense of the timeline.
Divyajeet Singh commented
I was working on exact same thing for one of my project. You documentation says that it is currently not supported. But I was able to see the logs populating in Key Vault from an Azure DC range. Once I whitelisted that IP it started working.
My point is if it is not supported then service (WebApp) should not be making calls to Key Vault at all.
But if service (WebApp) is making a call then the IP address should be defined only from the Outbound ranges that WebApp is supposed to make call from.
I am happy that you are working on this feature but I have a bigger concern on above mentioned comment.
- Divyajeet Singh
Any updates on this?
Bent Terp commented
any updates on this?
Antonio Miron commented
Any ETA on this? The requirement to leave a Key Vault exposed to the whole internet to grab the credentials from an Azure Function renders the function unacceptable for any organization with a set of minimum security requirements, i.e., it's not a viable product.