Blog Post

Azure Infrastructure Blog
2 MIN READ

Storing Azure Function Keys in Key Vault Using User Assigned Managed Identity

PratibhaShenoy's avatar
PratibhaShenoy
Icon for Microsoft rankMicrosoft
Mar 14, 2025

In this blog, we will explore how to securely store Azure Function keys in Azure Key Vault using User Assigned Managed Identity (UAMI). By default, keys are stored in a Blob storage container in the account provided by the AzureWebJobsStorage setting. However, for enhanced security, we can store these keys in Azure Key Vault.

Steps to Store Function Keys in Key Vault Using UAMI

  1. Create a User Assigned Managed Identity (UAMI)
    • Create a UAMI that will be used to access the Key Vault.
  2. Add Role Assignment on the UAMI
    • Assign the "Key Vault Secrets Officer" role to the UAMI. This role allows the UAMI to manage secrets within the Key Vault. 

       

  3. Add the UAMI to the Function App
    • Configure the Function App to use the UAMI for accessing the Key Vault. 

       

  4. Add the Required App Settings
    • Add the following app settings to the Function App:
      • AzureWebJobsSecretStorageType = keyvault
      • AzureWebJobsSecretStorageKeyVaultUri = https://<your-keyvault-name>.vault.azure.net/
      • AzureWebJobsSecretStorageKeyVaultClientId = <your-uami-client-id>

        To fetch these values:

        • Key Vault URI: Navigate to your Key Vault in the Azure Portal and copy the URI from the "Overview" section.
        • Client ID of UAMI: Navigate to the User Assigned Managed Identity in the Azure Portal and copy the Client ID from the "Overview" section.

         

  5. Restart the Function App
    • Finally, restart the Function App to apply the changes.

       

By following these steps, you can securely store your Azure Function keys in Azure Key Vault using User Assigned Managed Identity, ensuring better security and management of your secrets.

 

Disclaimer

  • Please note that products and options presented in this article are subject to change. This article reflects the configuration for storing Azure Function keys in Azure Key Vault using User Assigned Managed Identity as of March 2025.
  • Always test and validate in your own environment before applying any changes.
  • For the most accurate and up-to-date details, please refer to the Azure Functions documentation.

References

Work with access keys in Azure Functions | Microsoft Learn

App settings reference for Azure Functions | Microsoft Learn

Updated Mar 14, 2025
Version 1.0
No CommentsBe the first to comment