I have a virtual network, with a key vault and a function app (both have been linked via private endpoints and the function app has outbound traffic VNet integration set up).
We are using RBAC for access to the Key Vault and the Function has a role assignment that grants Get and List access to the Secrets in the key vault.
The function is part of a premium app service plan (EP1).
The functions storage account is also set up as part of the VNET
The function has WEBSITE_CONTENTAZUREFILECONNECTIONSTRING, WEBSITE_CONTENTOVERVNET and WEBSITE_CONTENTSHARE app settings defined as I believe to be required by documentation ( https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings )
Example Key Vault Reference:
#Microsoft.KeyVault(SecretUri=https://mykeyvault.vault.azure.net/secrets/StorageAccountConnectionString/)
The function has some settings set up as key vault references and at runtime they resolve just fine. However in the Azure Portal under the configuration tab for the function app I get the following error at the top.
Error: Could not access key vault reference metadata
and there's no reference to any settings being a key vault reference under the source column. For what it's worth the configuration seems to take a while to actually load so I'm wondering if anything is timing out in the background (i.e. the portal can't resolve the key vault, but the actual function can).
So the question is, can I just ignore this error? Is it anything to worry about and finally is there anything I'm doing wrong?
I'm trying to set up a new app slot for my azure website.
Here is my error:
I've looked at a few articles online and then made sure the app slot was using System assigned identities.
But I still get the above error?
What am I missing?
Here is what it looks like on the Configuration section
Make sure you have done the steps below, then it should work.
1.After enabling the system-assigned identity(MSI) of your slot, navigate to your keyvault in the portal -> Access policies -> add the MSI of your slot to the access policy with the correct secret permission, just search for your web app name, the MSI of the slot has the format as webappname/slots/slotname, details here.
2.If you use the SecretUri, the format of the connection string in your slot should be like below, double-check it.
#Microsoft.KeyVault(SecretUri=https://joykeyvault123.vault.azure.net/secrets/encryptionKey/492c7788a9da421c8b9752ef18b53f5d)
You could get the SecretUri in your secret in the portal.
It works fine on my side.
Lately I've had trouble with deploying a Function App via Azure CLI. Last week on Tuesday, I was still able to deploy a Function App via Azure CLI.
This week, like any other day before that, I used fairly common Azure Function Tools command func azure functionapp publish. The version of Azure Function Tools I am using is 3.0.3233.
Now I am getting this error every time:
Retry: 1 of 3
Error creating a Blob container reference. Please make sure your connection string in "AzureWebJobsStorage" is valid
Retry: 2 of 3
Error creating a Blob container reference. Please make sure your connection string in "AzureWebJobsStorage" is valid
Retry: 3 of 3
Error creating a Blob container reference. Please make sure your connection string in "AzureWebJobsStorage" is valid
I checked that AzureWebJobsStorage setting has a correct value, I even connected to storage account connection string via Azure Storage Explorer app.
Just in case, I created a new Function App in another region and I still get the same error.
Has anyone else encountered this error? I suspect this is an error in the tool itself, maybe a faulty build?
I suspect that AzureWebJobsStorage is not present/invalid in App Settings section of the function app in the Azure portal.
Make sure that it is added there and you are not deleting those settings through CLI/templates and recreating them without AzureWebJobsStorage.
I answer to my own question. It seems that this was a transient error. Without changing any code, today I was able to redeploy my function app. Cheers.
If you don't have "Allow storage account key access" enabled , you get this error.
There could be other scenarios as well. But the error does not say anything .
I am having an issue where I add an Azure KeyVault information as part of my Azure function configuration, but it's giving me an InvalidSyntax error.
In my Azure Function, I go to the Configuration section, in the application tab I click "New application setting". In the Name I added a name like: SomeSecret.. and in the Value I added the path to my azure keyvault, so it looks like this:
#Microsoft.KeyVault(SecretUri=https://somename.azure.net/secrets/mysecretname/ec96f02080254f109c51a1f14cdb1931)
I also tried with this
#Microsoft.KeyVault(SecretUri="https://somename.azure.net/secrets/mysecretname/ec96f02080254f109c51a1f14cdb1931")
I tried with the other syntax, like:
#Microsoft.KeyVault(VaultName=somename;SecretName=mysecretname;SecretVersion=ec96f02080254f109c51a1f14cdb1931)
None of them is working. I made sure that for the Azure function identity, it's added to the KeyVault in Access Policies and it has all required access.
Any idea?
#Microsoft.KeyVault(SecretUri=) is the right way.
So the first format should be no problems. Try to give full access policy and try again.
I have enabled Managed Service Identities on an App Service. However, my WebJobs seem unable to access the keys.
They report:
Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. password_required_for_managed_user: Password is required for managed user
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
Kudo does not show any MSI_ environmental variables.
How is this supposed to work? This is an existing App Service Plan.
The AppAuthentication library leverages an internal endpoint in App Service that receives the tokens on your site's behalf. This endpoint is non-static and therefore is set to an environment variable. After activating MSI for your site through ARM, your site will need to be restarted to get two new Environment Variables set in it:
MSI_ENDPOINT and MSI_SECRET
The presence of these variables are essential to the MSI feature working properly during runtime as the AppAuthentication library uses them to get the authorization token. The error message reflects this:
Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
If these variables are absent, you might need to restart the site.
https://learn.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity
If the environment variables are set and you still see the same error, the article above has a code sample showing how to send requests to that endpoint manually.
public static async Task<HttpResponseMessage> GetToken(string resource, string apiversion) {
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Add("Secret", Environment.GetEnvironmentVariable("MSI_SECRET"));
return await client.GetAsync(String.Format("{0}/?resource={1}&api-version={2}", Environment.GetEnvironmentVariable("MSI_ENDPOINT"), resource, apiversion));
}
I would try that and see what kind of response I get back.
I just solved this issue when trying to use MSI with a Function app, though I already had the environment variables set. I tried restarting multiple times to no success. What I ended up doing was manually turning off MSI for the Function, then re-enabling it. This wasn't ideal, but it worked.
Hope it helps!
I've found out that if you enable MSI and then swap out the slot, the functionality leaves with the slot change. You can re-enable it by switching it off and on again but that will create a new identity in AD and will require you to reset permissions on the key vault for it to work.
Enable the identity and give access to your azure function app in keyvault via access policy.
You can find identity in platform feature tab
These two steps works for me
In my case I had forgotten to add an Access Policy for the application in the Key Vault
Just switched ON the Status like #Sebastian Inones showed.
Than add access policy for KeyVault like
This is resolved the issue!!
For the ones, like my self, wondering how to enable MSI.
My scenario:
I have an App Service already deployed and running for a long time.
In addition, on Azure DevOps I have my Pipeline configured to Auto-Swap my Deployment Slots (Staging/Production). Suddenly, after a normal push, Production starts failing because of the described issue.
So, in order to enable MSI again (I don't know why it has to be re-enabled but I believe this is only a workaround, not a solution, as it should be still enabled in the first place)
Go to your App Service. Then Under Settings --> Identity.
Check the status: In my case, it was off
I have attached an image below to make it easier to follow.
For the folks that will come across these answers, I would like to share my experience.
I got this problem with Azure Synapse pipeline run. Essentially I added access policies properly to the KeyVault, and also I added a LinkedService to the Azure Synapse pointing to my KeyVault.
If I trigger the notebook manually it works, but in the pipeline, it fails.
Initially, I used the following statement:
url = TokenLibrary.getSecret("mykeyvault", "ConnectionString")
Then I added the name of the linked service as a third parameter, and the pipeline was able to leverage that linked service to obtain the MSI token for a Vault.
url = TokenLibrary.getSecret("mykeyvault", "ConnectionString", "AzureKeyVaultLinkedServiceName")
Might be unrelated to your issue but I was getting the same error message.
For me, the issue was using pip3's azure-cli. I was able to fix this issue by using brew packages for both azure-cli and azure-functions-core-tools.
Uninstall pip3 azure-cli
pip3 uninstall azure-cli
Install brew azure-cli
brew update
brew install azure-cli
Double check if the error message ends with:
Please go to Tools->Options->Azure Services Authentication, and re-authenticate the account you want to use.