1

I have an Azure Function in Python where I'm getting a secret from Key Vault. The Azure Function is part of an App Service with Managed Identity configured, so I do not have a Service Principal. To access Key Vault, I'm using the azure identity library and the DefaultAzureCredential class.

My issue is that with local debugging of this function, credentials are not detected. I know that the debugger use a different shell, so login environment variables are not set. I tried to specify the "env" property in launch.json but get a warning that I'm not allowed to add it, same thing if I rename it to "environment". I also tried the InteractiveBrowserCredential class to login with my user account as a workaround, but then the credentials are dismissed as incorrect to access Key Vault.

How could I setup my VS Code local debugging environment to work with the managed identity of App Service?

Here is an except of my code:

import os
import logging
import azure.functions as func
from azure.storage.blob import BlobServiceClient
from azure.identity import DefaultAzureCredential, UsernamePasswordCredential
from azure.keyvault.secrets import SecretClient

def main(req: func.HttpRequest) -> func.HttpResponse:
    vault_url = os.environ['KeyVaultUrl']
    credential = DefaultAzureCredential()
    secret_client = SecretClient(vault_url=vault_url, credential=credential)
    access_key = secret_client.get_secret(os.environ['StorageSecretName'])

Thank you

Improve this question

1 Answer 1

Reset to default
3

If you want to run the function with DefaultAzureCredential on locally, we need to add these settings in local.settings.json. The json file is used to store app settings, connection strings, and settings used by local development tools. For more details, please refer to here and here

For example

local.settings.json

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "",
    "FUNCTIONS_WORKER_RUNTIME": "python",  
    "AZURE_CLIENT_ID": "42e***522d988c4",
    "AZURE_CLIENT_SECRET": "Gbx2eK***ClJDfQpIjoae:",
    "AZURE_TENANT_ID": "e4c9ab4e-b***230ba2a757fb"
  }
}

Code

import logging
import azure.functions as func
import os
from azure.keyvault.secrets import SecretClient
from azure.identity import DefaultAzureCredential

async def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')
    
    vault_url = 'https://testsql.vault.azure.net/'
    credential = DefaultAzureCredential()
    secret_client = SecretClient(vault_url=vault_url, credential=credential)
    access_key = secret_client.get_secret('DBConnectionString')
    return func.HttpResponse(access_key.value,
        mimetype="application/json",)

enter image description here enter image description here

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your help Jim, I'm setting it up as you said. Just one question: where do you get the client secret? From the security principal created by the Managed Identity, I cannot find it. Do I need to create a security principal manually and deactivate Managed Identity?
@Alssanro We have no way to get Managed Identity client secret. I suggest you create a security principal manually

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.