Azure
Names of _master and default secret in keyvault are not unique so function apps cannot share same keyvault
Function App name: doesn't matter Tools used: irrelevant New V4 app
We are trying to use multiple function apps for some data integration work and are trying to secure their configuration. So we are trying to follow the recommendations from here: https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4
We have managed to instantiate a function app and integrate with key-vault using a user-managed identity. We can see that the function app successfully creates two secrets _master and default. The problem is the names of these secrets are not unique: 'host--functionKey--default' and 'host--masterKey--master' (see screnshot) which means instantiating the second function app creates a broken function app with no keys or ability to create new ones: the option to create is greyed out but after a long wait I can initiate key creation which fails with "Encountered an error (InternalServerError) from host runtime." error.
The fact that default keys aren't uniquely named will also create an issue when one deletes the function app and creates a new one pointing to the same keyvault.
Also before you suggest we are not able to adopt the model where we allocate a dedicated keyvault instance to a function app.
@bujhie We will discuss this issue with our next level team and update you.
@bujhie We will discuss this issue with our next level team and update you.
Thanks @ramya894. Very much looking forward to it
@ramya894 It is the same in our case. We just starting to move the functions keys from the default storage account to a keyvault (we share a keyvault across many function apps in the subscription), but this limitation is actually weird since should be a common way of working.
Do you have any news?
