Key Vault Reference | Logic and Function Apps using User-Assigned Managed Identity

author Andrew Wilson calendar Jan 6, 2025 · 2 min read  ·
Share on: linkedin copy

Overview

Prior to the Christmas break I was involved in writing some integrations that used a mixture of Logic Apps Standard and Function Apps. It was agreed as part of the architecture that user-assigned identities would be the best fit. As part of the implementation, I observed that the differences in configuration setup between system-assigned and user-assigned wasn’t widely understood. This article aims to show a brief run through of both.

Setup and Difference with System-Assigned

System-Assigned

The general process when using a System-Assigned identity is as follows:

  1. Create a Key Vault Instance.

  2. Create secrets required by the application.

  3. Create the app resource (Logic App / Function App)

  4. Authorise the applications identity read access to key vault or specifically the key vaults secret.

The main points with System-Assigned setup is:

  • The identity is tied to the created app resource and its life-cycle
  • The resource cannot reference key vault secrets at the point of creation
    • Authorisation to read the key vault secrets has not occurred at this point
  • The identity cannot be associated with other resources

User-Assigned

The general process when using a User-Assigned identity is as follows:

  1. Create a Key Vault instance

  2. Create secrets required by the application(s)

  3. Create the user-assigned identity

  4. Authorise the user-assigned identity read access to key vault or specifically the key vaults secret.

  5. Create the app resource (Logic App / Function App)

    As part of the resource configuration

    • Specify the identity as user-assigned and reference the created identity in step 3

    • Specify the identity to be used for key vault reference operations by setting the keyVaultReferenceIdentity property to the resource ID of the user-assigned identity

    • Reference the key vault secret(s) in your App Settings.

The main points with User-Assigned setup is:

  • The identity is managed outside the context of a resource and its life-cycle
  • A resource that uses the identity can read secrets from keyvault at the point of creation
    • Given that the authorisation has occurred prior to the resource creation.
  • The identity can be associated with on or more resources

⚠️ Note One of the most common gotchas [user-assigned] is missing or forgetting to specify the identity to be used for key vault reference operations (keyVaultReferenceIdentity property - Step 5).

Hope this helps and have fun.

For the original version of this post see Andrew Wilson's personal blog at Key Vault Reference | Logic and Function Apps using User-Assigned Managed Identity