1. Create a new Azure Function instance in Azure

2. Create a new KeyVault instance in Azure

3. Ensure the Azure Function has 'Managed Service Identity' turned on

4. Add the Azure Function (by resource name) to the Key Vault's Access Policy list with 'Secret | Get' permissions Fill out only the 'Select Principal' part, not the 'Authorized application' part of the form

   You can get more detail on setting this up by reading this blog post from Functions PM, Jeff Hollan.

5. Use the KeyVault binding in your Azure Function by:

Adding the nuget package to your project

Install-Package BC3Technologies.Azure.Functions.Extensions.KeyVault -IncludePrerelease

Then referencing it in your Function definition

public static IActionResult Run([HttpTrigger(AuthorizationLevel.Function, "get", Route = null)]HttpRequest req, [KeyVaultSecret(@"MyKv", @"MySecretId")]string secretValue, ILogger log)

where MyKv and MySecretId are defined in your app settings like:

"MyKv": "kv23958612",
"MySecretId": "fooSecret"

6. Run your function & you will see the secretValue parameter populated with the value from the MyKv Key Vault for the secret MySecretId

• You can also use [KeyVaultSecret(@"MyKv", @"MySecretId")]**out** string myNewKeyValue to set the value of fooSecret in KeyVault
• You can get a JsonWebKey for a Key Vault key by using [KeyVaultKey("kvresourcesetting","keynamesetting")]JsonWebKey myKey