How to store function app’s function keys in a key vault

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.


When running Azure function apps, we need function keys to access the functions. By default, the function keys of a function app are stored in a storage account, which is specified in the appsetting ‘AzureWebjobsStorage’.  You can view the keys in portal as shown below.


Fig 1. Host keys of function apps in portal



Fig 2. Function keys of a function in portal


If you go to the storage account specified in appsetting ‘AzureWebjobsStorage’, you can find the function keys in container ‘azure-webjobs-secrets’. You can see the below container where keys are stored.



Fig 3. The container where function keys are stored in the storage account


In the container, you can see the file ‘/{functionAppName}/host.json’, where function keys are stored.


Fig 4. The host.json file where function keys are written


Instead of a storage account, we can also choose a key vault to store function keys.  Below are the detailed steps.



1. At first, add below two appsettings to the function app.

Appsetting Name





<key vault's name>


2. Enable managed identity in ‘Identity’ blade of the function app in portal.


Fig 5. Enable managed identity of a function app.


3. Go to ‘Access Policies’ blade of the key vault in portal, add an access policy for the function app using the app’s managed identity. You need to give the function app at least the secret management permissions.


Fig 6. The access policies blade of the key vault.



Fig 7. Select your function app in ‘Select principal’, and give it the certificate management permissions.


4. You had better restart the function app to let the settings make sense immediately.  


5. Now when you add or delete host keys or function keys in portal, you will see the function keys in ‘secrets’ of the key vault.


Fig 8. Host/function keys stored in key vault.


Hope this article will be useful to you! Thanks for reading!







REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.