Share via

Azure Function App failing to read Key Vault secrets during runtime

Dan Nelson 20 Reputation points
2025-11-24T00:43:23.5333333+00:00

My Azure Function App is integrated with Azure Key Vault using a system-assigned managed identity. The identity has Get and List permissions, and the Key Vault firewall is set to allow Azure services. The app starts normally, but during runtime the function fails with a “secret not found or access denied” error. Has anyone seen this behavior before, and what fixed it for you?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
0 comments
Answer accepted by question author
  1. Q&A Assist
    2025-11-24T00:43:32.6566667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    If your Azure Function App is failing to read Key Vault secrets during runtime and you're encountering a "secret not found or access denied" error, consider the following troubleshooting steps:

    1. Check Key Vault Access Policies: Ensure that the managed identity assigned to your Azure Function App has the correct access policies configured in the Key Vault. You should verify that the identity has both Get and List permissions for secrets.
    2. Managed Identity Configuration: Confirm that the system-assigned managed identity is correctly enabled for your Azure Function App. You can check this in the Azure portal under the Identity section of your Function App.
    3. Key Vault Firewall Settings: Although you mentioned that the Key Vault firewall is set to allow Azure services, double-check that there are no additional network restrictions that might prevent access from your Function App.
    4. Secret Existence: Make sure that the secret you are trying to access actually exists in the Key Vault and that the name used in your Function App matches the secret's name in the Key Vault.
    5. Application Settings: Ensure that your application settings in the Azure Function App are correctly configured to reference the Key Vault secrets. If you are using Key Vault references, verify that the syntax is correct.
    6. Diagnostics Tools: Utilize Azure's built-in diagnostics tools to gather more information about the failure. You can go to your Function App in the Azure portal, select Diagnose and solve problems, and look for any relevant diagnostic information related to Key Vault access.

    By following these steps, you should be able to identify and resolve the issue preventing your Azure Function App from accessing Key Vault secrets during runtime.

    References:

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adam Zachary 2,025 Reputation points
    2025-11-24T00:50:34.8066667+00:00

    I’ve run into this before, and the confusing part is that everything looks correctly configured. The Function App starts, the managed identity exists, the Key Vault access policy is correct, but the app still throws “secret not found or access denied” during runtime.

    The issue is almost always that the Function App is using a different identity at runtime than the one you granted access to. This happens after a scale-out, a restart, or when swapping slots.

    Two things have fixed this every time for me:

    Re-enable the system-assigned managed identity on the Function App. Turn it Off and then On again. This regenerates the identity and re-syncs the principal ID.

    After re-enabling, re-add the new principal ID to Key Vault with Get and List permissions. The old object ID becomes invalid, which is why runtime access fails.

    Once the Key Vault access policy is tied to the refreshed identity, the “secret not found / access denied” error disappears immediately.

    This issue shows up a lot with Function Apps because the identity object breaks silently after certain operations. Recreating the identity and re-assigning permissions is the reliable fix.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.