Unable to resolve key vault values in local environment
I'm developing Azure functions locally using VS Code, with Azure Functions Core Tools v.4.0.7030. I have a local.settings.json file with lines similar to these under "values":
"TicketBaseUrl": "@Microsoft.KeyVault(SecretUri=https://systemkv.vault.azure.net/secrets/TicketBaseUrl/)",
so on, so forth.
The issue is that I see in the terminal is that it's passing it as a string, rather than returning the actual key vault value. I have also tried az login, then selected the subscription, and it seems to make no difference. I have a colleague that has this working, but we cannot locate the difference at all.
I'm getting conflicting information whether this is natively supported, or whether this requires adding code to my existing function. Any assistance will be greatly appreciated.
Function runs, it's obviously getting my local.settings.json file, but just not interpreting it as anything but a string.
I have Azurite installed, no change there. I imported the settings from the function using func azure functionapp fetch-app-settings, but no change there.
For clarification, running the function app in the web works perfectly. It's just during local development.
JSON example
"IsEncrypted": false,
"Values": {
"APPLICATIONINSIGHTS_CONNECTION_STRING": "InstrumentationKey=****;IngestionEndpoint=**;LiveEndpoint=**;ApplicationId=*****",
"AzureWebJobsStorage": "DefaultEndpointsProtocol=https;AccountName=*****;AccountKey=*********=;EndpointSuffix=core.windows.net",
"FUNCTIONS_EXTENSION_VERSION": "~4",
"FUNCTIONS_WORKER_RUNTIME": "powershell",
"FUNCTIONS_WORKER_RUNTIME_VERSION": "7.4",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "DefaultEndpointsProtocol=https;AccountName=****;AccountKey=***;EndpointSuffix=core.windows.net",
"WEBSITE_CONTENTSHARE": "testapi905d",
"WEBSITE_ENABLE_SYNC_UPDATE_SITE": "true",
"WEBSITE_RUN_FROM_PACKAGE": "1",
"APIBaseUrl": "@Microsoft.KeyVault(SecretUri=https://TestVault.vault.azure.net/secrets/APIBaseUrl/)",
"APIClientId": "@Microsoft.KeyVault(SecretUri=https://TestVault.vault.azure.net/secrets/APIClientId/)",
"APICompanyIdentifier": "@Microsoft.KeyVault(SecretUri=https://TestVault.vault.azure.net/secrets/APICompanyIdentifier/)",
"APIPrivKey": "@Microsoft.KeyVault(SecretUri=https://TestVault.vault.azure.net/secrets/APIPrivKey/)",
"APIPubKey": "@Microsoft.KeyVault(SecretUri=https://TestVault.vault.azure.net/secrets/APIPubKey/)"
},
"ConnectionStrings": {}
Unable to resolve key vault values in local environment
Thanks @Skin you were absolutely right. After reproducing this locally and digging into the docs, I came to the same conclusion.
Key Vault references using the @Microsoft.KeyVault(...) syntax do not work locally when using Azure Functions and local.settings.json. This syntax only works in Azure, where the App Service platform resolves it using the Function App's Managed Identity.
Repro Fails Locally by using @Microsoft.KeyVault(...) key vault reference.
{
"IsEncrypted": false,
"Values": {
"APIBaseUrl": "@Microsoft.KeyVault(SecretUri=https://TestVault.vault.azure.net/secrets/APIBaseUrl/)"
}
}
When I run func start locally, the value of APIBaseUrl not resolved. It was treated as a literal string.
This only works in Azure app service, Function app where we configure a system-assigned managed identity and granted it to the key vault.
We can fix this by putting the actual secret values directly in local.settings.json while working locally. Since the Key Vault references don’t work outside Azure, hardcoding the secrets is the easiest way to make things run smoothly during development.
Replace the Key Vault reference in local.settings.json with the actual secret value for local testing:
{
"IsEncrypted": false,
"Values": {
"APIBaseUrl": "https://api.example.com/"
}
}
Then, function will output the real secret locally.
Note: - Make sure this file is never committed to git, as it may contain sensitive information like secrets and connection strings.
Please refer to the provided Microsoft Documents for more details.
- How do I write a script to copy an item to the public desktop?
- Get Azure Devops Secret Variable as Plain Text using Powershell
- How do I check if a PowerShell module is installed?
- Install powershell module in closed network
- Getting the # of days difference between two dates in Powershell
- PowerShell Here-String that keeps newlines
- Why are all newlines gone after PowerShell's Get-Content, Regex, and Set-Content?
- Remove-Variable - Cannot find a variable with the name
- Set DNS with PowerShell
- Mutually exclusive powershell parameters
- Unable to resolve key vault values in local environment
- Changing a value in the PATH environment variable
- Powershell run jobs in parallel
- VSCode - Powershell - Network Drives
- Constructor invocation syntax in PowerShell 4.0 and lower without using New-Object
- How to get <tab> value suggestions dynamically, without throwing an error if user provided a value that does not exist?
- Button click is not working using powershell
- Powershell: How do I install the Nuget provider for PowerShell on a unconnected machine so I can install a nuget package from the PS command line?
- PowerShell folder permission error - Some or all identity references could not be translated
- Failure to parse a date with the DateTime.TryParseExact() .NET method
- Why does Add-Content translates the comma separator from .TotalSeconds into a dot separator?
- PowerShell: How plug in filter (condition for exists) in Get-Childitem
- Run Powershell script from URL without temporary file
- How to install a particular .NET Framework version SDK using winget?
- PowerShell 5.1 Why are these 2 functions returning different types
- Network latency monitoring script windows
- Remove-IISConfigCollectionElement causes NullReferenceException
- PS cmdlet New-AzAksCluster will trigger SP creation ignoring the -EnableManagedIdentity option
- How to find string that occurs between 3rd and 4th instances of a character
- How can I update a Powershell gui textbox from another thread?