Bicep Azure keyvault Function-App Logic app standard Azure Integration Services

Key Vault Reference | Logic and Function Apps using User-Assigned Managed Identity

Posted by Andrew Wilson on Monday, January 6, 2025
More in the Series

This post is part of the Working With Azure Logic Apps series (10 posts)

More in the Series

This post is part of the Working With Azure Function Apps series (3 posts)

Overview

Prior to the Christmas break I was involved in writing some integrations that used a mixture of Logic Apps Standard and Function Apps. It was agreed as part of the architecture that user-assigned identities would be the best fit. As part of the implementation, I observed that the differences in configuration setup between system-assigned and user-assigned wasn’t widely understood. This article aims to show a brief run through of both.

Setup and Difference with System-Assigned

System-Assigned

The general process when using a System-Assigned identity is as follows:

  1. Create a Key Vault Instance.

  2. Create secrets required by the application.

  3. Create the app resource (Logic App / Function App)

  4. Authorise the applications identity read access to key vault or specifically the key vaults secret.

The main points with System-Assigned setup is:

  • The identity is tied to the created app resource and its life-cycle
  • The resource cannot reference key vault secrets at the point of creation
    • Authorisation to read the key vault secrets has not occurred at this point
  • The identity cannot be associated with other resources

User-Assigned

The general process when using a User-Assigned identity is as follows:

  1. Create a Key Vault instance

  2. Create secrets required by the application(s)

  3. Create the user-assigned identity

  4. Authorise the user-assigned identity read access to key vault or specifically the key vaults secret.

  5. Create the app resource (Logic App / Function App)

    As part of the resource configuration

    • Specify the identity as user-assigned and reference the created identity in step 3

    • Specify the identity to be used for key vault reference operations by setting the keyVaultReferenceIdentity property to the resource ID of the user-assigned identity

    • Reference the key vault secret(s) in your App Settings.

The main points with User-Assigned setup is:

  • The identity is managed outside the context of a resource and its life-cycle
  • A resource that uses the identity can read secrets from keyvault at the point of creation
    • Given that the authorisation has occurred prior to the resource creation.
  • The identity can be associated with on or more resources

⚠️ Note One of the most common gotchas [user-assigned] is missing or forgetting to specify the identity to be used for key vault reference operations (keyVaultReferenceIdentity property - Step 5).

Hope this helps and have fun.

More in the Series

This post is part of the Working With Azure Logic Apps series (10 posts)

More in the Series

This post is part of the Working With Azure Function Apps series (3 posts)

CATALOG
    avatar

    Andrew Wilson
    Husband - Father - Microsoft Azure MVP - Chief Consulting Officer @ Black Marble

    Has a passion for creating software [especially solution integrations] that help others execute their jobs faster and more efficiently.

    QUICK LINKS
    FEATURED TAGS
    api management apim apim-policy app service arm az cli azure azure devops azure integration services azure portal bicep bicep tips and tricks biztalk biztalk deployment framework btdf consulting dsc fluent ui function-app git gitversion iac keyvault logic app logic app standard nerd fonts office-ui-fabric ohmyposh powershell rbac react requirements rest client roles security speaking sso storage account strong name key swagger typescript vs code webpack windows terminal winget winget configuration yaml pipeline