-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the Key Vault secret provider to use Azure.Identity #2048
Comments
@liliankasem I'm sorry to revive a closed issue, but there is actually a documentation page that describes those setting and is currently out of date: https://docs.microsoft.com/en-us/azure/azure-functions/security-concepts#secret-repositories The page is still referring to AzureWebJobsSecretStorageKeyVaultName instead of AzureWebJobsSecretStorageKeyVaultUri |
@mattchenderson looks like we still need more documentation updates for this breaking change, do you know who can help with that? |
Oh. I put my uri for |
Yup, you need to use the full Vault URI as displayed in the Key Vault overview page. We can update the docs to make that more clear. |
I'm suspecting for this to work with MSI it's required to use a user assigned identity @liliankasem? Otherwise how can you grant access to the vault before you have the function app principal id. Isn't this a chicken and egg problem? |
You can still use a system managed identity, you'll just have to go back to the vault and update the access policies to include the new function app principal ID. If we're talking about DevOps setup, there should be a way to get the principal ID as an output of a function app deployment and pass that to a keyvault creation or policy update task, but I'm not an expert on that. |
The existing Key Vault provider makes use of a library that is considered deprecated. We will update the Key Vault provider to use the following libraries instead: Azure.Identity, Azure.Security.KeyVault.Secrets
Motivation
What is the motivation for the change?
Impact
How many customers (roughly) would be impacted by this break? If not known, how can we figure it out? This may require host changes to gather metrics.
Compat-mode support
We'd like to enable compat-mode support for every breaking change. This may not be feasible in reality, but each proposal should include a plan to switch back to the previous behavior with a feature flag. This requirement will be evaluated on a case-by-case basis.
Alternatives
Were any alternatives discussed? Is there any way to do this without a break?
AzureWebJobsSecretStorageKeyVaultConnectionString
app setting needs to be deprecated.Detection
Can we detect that a customer is using this when they upgrade from v3? Is there a specific error that can be thrown with a link to migration guidance?
Support
Will there be any incidents-per-day impact? Who will be the support contact? Does support need to be notified of this change? (SPOT)
Documentation
We will need to update documentation to reflect the change in app settings.
Old
New
System-assigned managed identity
User-assigned managed identity
App registration
I can't find any documentation that talks about setting
AzureWebJobsSecretStorageKeyVaultName
andConnectionString
to use Key Vault. I did find this documentation but this only talks about referencing key vault secrets in app settings. There's also one reference toAzureWebJobsSecretStorageType
here.I propose we add a new heading here to talk about how to use Key Vault for function secret storage.
Components impacted
What components does this change impact? Examples of areas (this list may not be exhaustive):
Performance
Does the change have any performance impact? There may need to be some implementation complete before this can be measured.
The text was updated successfully, but these errors were encountered: