[SOLVED] Azure Function Keyvault Reference -> User Assigned Identity instead of System Assigned managed Identity

Azure Function Keyvault Reference -> User Assigned Identity instead of System Assigned managed Identity

I am currently trying to build an Azure infrastructure for a project using Pulumi (unfortunately I had to use the azure_native provider). The problem is that my function does not understand that it should use the User Assigned Identity for KeyVault access. In the image below, you can see that it always tries to work through a System Assigned Managed Identity.

I also set the keyVaultReferenceIdentity in Pulumi to the function and referenced the Principal/Object Id of the User Assigned Identity. In KeyVault, I have given the User Assigned Identity access via the Access Policies. Apparently, this problem has the effect that KeyVault secrets cannot be resolved.

The code for creating the function App:

    return new web.WebApp("xxxx", {
    ...resourceGroupArgs,
    serverFarmId: aspId,
    name: rndFAppName.hex.apply((v) => `fa${v}`),
    kind: "functionapp,linux",
    siteConfig: {
        appSettings: [
            {name: "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET", value: "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET"},
            {name: "SCM_DO_BUILD_DURING_DEPLOYMENT", value: "false"},
            {name: "WEBSITE_ENABLE_APP_SERVICE_STORAGE", value: "true"},
            {name: "APPLICATIONINSIGHTS_CONNECTION_STRING", value: appInsightsConnectionString},
            {name: "APPINSIGHTS_INSTRUMENTATIONKEY", value:appInsightsInstrumentkey},
            {name: "FUNCTIONS_EXTENSION_VERSION", value: "~4"},
            {name: "AzureWebJobsStorage__accountName", value: storageAccount.name},
            {
                name: "AzureWebJobsStorage",
                value: pulumi.interpolate`DefaultEndpointsProtocol=https;AccountName=${storageAccount.name};AccountKey=${storageKeys.keys[0].value};EndpointSuffix=core.windows.net`
            },
            {name: "FUNCTIONS_WORKER_RUNTIME", value: "dotnet"},
        ],
        cors: {
            allowedOrigins: ["https://preview.portal.azure.com"],
        },
        ftpsState: "Disabled",
        remoteDebuggingVersion: "VS2019",
        linuxFxVersion: "dotnet|6.0",
        minTlsVersion: "1.2",
        use32BitWorkerProcess: false,
        keyVaultReferenceIdentity: userAssignedIdentity.principalId,
    },
    identity: {
        type: "UserAssigned",
        userAssignedIdentities: userAssignedIdentity.id.apply(id => getId(id))
    }
}, {dependsOn: [userAssignedIdentity, appInsights, storageAccount, kvVault, container]});

}

Is there anything missing for the user identity usage?

Thank you very much!

Solution

The source of the problem has been found. Apparently the Azure native provider in Pulumi does not set the "keyVaultReferenceIdentity" properly. Setting it manually via Powershell fixed the problem.