Forum Discussion
Why can't my Function Access my Key Vault?
Take this:
1. Use Access Policies (Not Just RBAC)
Even though you've assigned RBAC roles like Key Vault Secrets User, Key Vaults created with the "Vault access policy" permission model require explicit Access Policies.
• Go to your Key Vault in the Azure Portal.
• Under Access Policies, add your Function App's managed identity.
• Grant it Get and List permissions for secrets.
2. Confirm Managed Identity Is Enabled
Make sure your Azure Function has its System Assigned Managed Identity turned on:
• Go to your Function App > Identity.
• Under System Assigned, ensure it's On.
• Copy the Object ID—you’ll need it for access policies or role assignments.
3. Check Local Development Authentication
When running locally, your function doesn't use the managed identity—it uses your local Azure CLI or Visual Studio credentials.
• Run az login to authenticate your CLI.
• Ensure your local user has Key Vault Secrets User role or is added to the Access Policy.
4. Verify Key Vault URL and Secret Name
Double-check that your code is using the correct format:
var kvUri = "https://<your-keyvault-name>.vault.azure.net/";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
KeyVaultSecret secret = client.GetSecret("<your-secret-name>");
When I navigate to 'Access Policies' within my vault, it says 'Access policies not available' and tells me to go back to the 'Access control (IAM)' page. Is there a way to get past this message and set up Access Policies when I already have RBAC?
You either use RBAC or access policies. RBAC is the recommended model, as it is newer and more flexible. Could you create a simple function to retrieve a secret from the Key Vault using RBAC? Also, how is your network access configured?
