Can Azure Key Vault be used with Functions to store the connection string for queue triggers?

Question

I was able to use the Key Vault inside a function app as described here but when I tried to use the Key Vault to hold the connection string of a function with a queue trigger I

Answer 1

With the Nuget packages Azure.Extensions.AspNetCore.Configuration.Secrets and Azure.Identity you can now use the KeyVault as a configuration provider, the same way as in ASP.NET Core. You need to add a class derived from FunctionsStartup to add the KeyVault as a configuration provider, see Add FunctionsStartup class with the KeyVault as a configuration provider.

If you add the AzureWebJobsStorage connection string as a secret to the KeyVault, you can remove it from the Configuration section of your Function App in Azure. Make sure to turn on System assigned in the Identity section and in the KeyVault add an Access Policy with the Secret permissions Get and List for your Function App.

When you run your Function App local for debugging, Azure.Identity automatically uses your Microsoft Account for access to the KeyVault, if it has at least Get and List access to the secrets.

Unfortunately, when you test local, the Function App does NOT read AzureWebJobsStorage from the configuration/KeyVault, but requires it to be stored in local.settings.json. To prevent storing keys on your local computer, you can set AzureWebJobsStorage to "UseDevelopmentStorage=true" in local.settings.json.

For detailed instructions see: Create Azure Function App with Dependency Injection and the Key Vault as Configuration Provider.

Example project: https://github.com/Forestbrook/FunctionWithKeyVaultAndDI

Answer 2

I'm trying to test first in Visual Studio.

For now using Azure Key Vault references with Azure Functions does not support to work on local, as confirmed by Azure Functions team. If you still want to test on local, you could implemented an incomplete local workaround like this issue.

I test on portal and it works well. You could refer to the following steps as below：

1.In VS Function.cs, then publish to azure：

 public static void Run([QueueTrigger("queue", Connection = "AzureWebJobsStorage")]string myQueueItem, TraceWriter log)
 {
     log.Info($"C# Queue trigger function processed: {myQueueItem}");
     string connectionString = System.Environment.GetEnvironmentVariable("AzureWebJobsStorage");
     log.Info($"The connection string is {connectionString}");
 }

2.Set AzureWebJobsStorage on Appsettings setting on portal.

3.Then it will work fine.