Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[QUERY]Initial request from function app to retrieve key vault secret results in 401

See original GitHub issue

Library name and version

Azure.Security.KeyVault.Secrets 4.5.0

Query/Question

We have an Azure Function App recently upgraded from v1 to v4. The function app is throwing 401’s on the initial request to retrieve a key vault secret. We cannot confirm if this has always been happening or if this is a result from the upgrade to v4.

The function app is now v4 in C# .NET 6 using the Azure.Security.KeyVault.Secrets nuget package. This is the full list of all nuget packages for the function app.

<Project Sdk="Microsoft.NET.Sdk">
    <PropertyGroup>
        <TargetFramework>net6.0</TargetFramework>
        <AzureFunctionsVersion>v4</AzureFunctionsVersion>
    </PropertyGroup>
    <ItemGroup>
        <PackageReference Include="Azure.Identity" Version="1.9.0" />
        <PackageReference Include="Azure.Messaging.ServiceBus" Version="7.15.0" />
        <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.5.0" />
        <PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" />
        <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.DurableTask" Version="2.10.0" />
        <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.ServiceBus" Version="5.11.0" />
        <PackageReference Include="Microsoft.Extensions.Azure" Version="1.6.3" />
        <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.2.0" />
    </ItemGroup>
    <ItemGroup>
        <None Update="host.json" CopyToPublishDirectory="Always">
            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
        </None>
        <None Update="local.settings.json">
            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
            <CopyToPublishDirectory>Never</CopyToPublishDirectory>
        </None>
    </ItemGroup>
</Project>

Here is the simplified code used to fetch the key vault secret,

DefaultAzureCredentialOptions credentialOptions = new DefaultAzureCredentialOptions();
DefaultAzureCredential azureCredentials = new DefaultAzureCredential(credentialOptions);

SecretClient client = new SecretClient(new Uri(keyVaultUrl), azureCredentials);
KeyVaultSecret secret = await client.GetSecretAsync(new Uri(secretUrl));

return secret.Value;

All methods in this function app are static.

The code clearly works, eventually, after the first request throws a 401 because there is no authentication token provided. The request is then re-authenticated auto-magically and retried. With the valid token in place, the request is then successful and the key vault secret is returned.

I found this GitHub issue and tried to implement a startup class to configure the default Azure credentials,

https://github.com/Azure/azure-sdk-for-net/issues/29471

But when using the startup class, the function app threw this startup error,

https://learn.microsoft.com/en-us/azure/azure-functions/errors-diagnostics/diagnostic-events/azfd0005

I changed tactics and was able to prevent the 401’s from happening by using a key vault reference in our function app configuration.

https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli

My question is if this is the intended behaviour when fetching secrets from our key vault using DefaultAzureCredential? If not, is the only method to prevent the 401 exceptions is to use key vault references in our configuration? My concern is that we are receiving these 401 exceptions on many of our Azure app services, not just this function app and they are all using similar implementations to use SecretClient and KeyVaultSecret using DefaultAzureCredential.

Environment

C# .NET 6 Azure Function App v4 Key Vault

Issue Analytics

State:
Created 2 months ago
Comments:10 (3 by maintainers)

Top GitHub Comments

1reaction

jsquirecommented, Aug 9, 2023

What mechanism is in place to swallow the exception when I use a key vault reference in the application configuration settings? When I use a key vault reference no exceptions are thrown in AI. Clearly the exception is being swallowed or simply not reported to AI when using a key vault reference?

Unfortunately, I don’t have the answer to that, as it would be a behavior of the Functions runtime and not the extensions packages. Your assessment seems reasonable to me. I would guess that there’s filtering logic.
@fabiocav may be able to offer insight.

0reactions

github-actions[bot]commented, Aug 16, 2023

Hi @jason-goodlife, since you haven’t asked that we /unresolve the issue, we’ll close this out. If you believe further discussion is needed, please add a comment /unresolve to reopen the issue.