Share via

Azure Function Forbidden Access to Key Vault despite Appropriate IAM Permission and Firewall Settings

Phillip Blackwell 20 Reputation points
2025-05-07T16:18:49.57+00:00

I am encountering an issue where my Azure Function is being called from Azure Data Factory (ADF) and needs to access an Azure Key Vault.

Setup:

  • The Azure Function uses a System Assigned Managed Identity.
  • It has been granted Key Vault Secrets User role (RBAC) on the Key Vault.
  • The Key Vault firewall is configured with:
    • Allow public access from specific virtual networks and IP addresses enabled.
    • Allow trusted Microsoft services to bypass this firewall** enabled (which should include ADF and Azure Functions).
  • The Azure Function App is:
    • Hosted in **East US 2
    • Dynamic Pricing Tier (Consumption Plan)**.
  • The Key Vault is in East US.

Problem:

When the Function is deployed and triggered from ADF, it fails to access Key Vault with the following error:

"Forbidden", "message": "Client address is not authorized and caller is not a trusted service"

This occurs despite the Function having the correct role assignments and the Key Vault firewall allowing trusted services.

Workaround:

  • If we manually allow a large range of public IPs from the possible IP addresses that the function app can use (e.g., 4.130.0.0/16) in the Key Vault firewall, the Function is able to access Key Vault.

However, there are still IPs that fall outside this range, and manually maintaining wide IP ranges is not secure or reliable.

  • We do not want to upgrade to a higher plan just to enable VNet Integration just to solve this — trusted Microsoft services bypass should be enough.
Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
11,486 questions
Accepted answer
  1. Chandra Boorla 12,285 Reputation points Microsoft External Staff Moderator
    2025-05-07T20:36:44.9433333+00:00

    @Phillip Blackwell

    You're encountering this issue because Azure Functions on the Consumption Plan do not consistently appear as "trusted Microsoft services" from the Key Vault's perspective, even if the "Allow trusted Microsoft services to bypass this firewall" setting is enabled.

    Understanding the Issue:

    The problem you’re experiencing is due to the limitations of the "Allow trusted Microsoft services to bypass this firewall" setting in Azure Key Vault. Although this setting should allow trusted Azure services (including Azure Functions and ADF), it may not consistently work for Azure Functions in a Consumption Plan. This is because:

    • Azure Functions (Consumption Plan) do not have static outbound IP addresses. Their IPs can change dynamically, making it difficult to maintain consistent IP whitelisting.
    • The Key Vault firewall can only recognize the service IPs, not the managed identity itself, meaning the IPs must be explicitly allowed.

    For more details, please refer: Network security for Azure Key Vault

    Your Current Workaround:

    Manually allowing a large IP range is a temporary fix but is neither secure nor reliable because:

    • The range may not always cover all potential IPs used by your Function.
    • It exposes your Key Vault to a broad IP range, increasing security risks.

    Recommended Microsoft-Supported Solutions:

    Use Key Vault References in Function App Settings (for secrets) - Instead of calling Key Vault directly from code, configure your application settings to reference secrets directly.

    For details, please refer: Use Key Vault references in Azure Functions

    Use a Premium Plan (or higher) and Enable VNet Integration - This allows your Function App to securely access the Key Vault via VNet and/or Private Endpoint.

    For more details, please refer: Integrate Azure Functions with VNets

    Use IP Firewall Rules with Reliable IP List Updates - If you must continue using the Consumption Plan, you can script regular updates to the Key Vault firewall using published Azure IP ranges.

    For additional information, please refer: Azure IP Ranges and Service Tags

    I hope this information helps. Please do let us know if you have any further queries.

    Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

    Thank you.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Azar 28,155 Reputation points MVP Moderator
    2025-05-07T20:32:09.2+00:00

    Hi there Phillip Blackwell

    thanks for using QandA platform

    So you did mentione it , If staying on Consumption Plan, your workaround (manual IP allowlisting) is sadly the most viable, though painful.

    Alternatively, move the Function to a Premium Plan (which gives static outbound IPs) or enable VNet Integration for secure access yes, it costs more.

    You can also consider moving the secret access to ADF itself using its managed identity, and pass secrets to the function as parameters securely.

    If this helps kindly accept the answer thanks much.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.