Share via

How can I configure my Azure Function to retrieve a Key Vault secret when invoked by an Azure Logic App?

John van Zalk 20 Reputation points
2025-05-04T01:56:15.9566667+00:00

I’ve stored an API key as a secret in Azure Key Vault and want my Function App—called from a Logic App—to pull that secret at runtime. I’ve already:

  1. Enabled a system-assigned managed identity on the Function App and Logic App
  2. Granted Key Vault Secrets User access to the Function App and Logic App

Despite this, when the I try to add the Azure function to my Logic App and save, I’m getting the error message below. What could I be missing?

Workflow validation failed for the workflow ''. {"error":{"code":"ListFunctionKeysFailed","message":"Request to obtain the keys for function ... failed. Error details: '{"Code":"BadRequest","Message":"Encountered an error (InternalServerError) from host runtime.","Target":null,"Details":[{"Message":"Encountered an error (InternalServerError) from host runtime."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","Message":"Encountered an error (InternalServerError) from host runtime."}}],"Innererror":null}'."}}

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,416 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chiugo Okpala 1,195 Reputation points MVP
    2025-05-04T06:10:26.26+00:00

    @John van Zalk welcome to the Microsoft Q&A community.

    It looks like you’ve taken most of the key steps for secure access, but that error suggests there might be an issue with how the Azure Function keys are being accessed by the Logic App. Here are a few things to check:

    1. Ensure the Managed Identity Has Access to Function Keys

    Even though you’ve enabled a system-assigned managed identity and granted Key Vault access, the Logic App also needs permissions to retrieve the function host keys. Try assigning the "Microsoft.Web/sites/hostkeys/list/action" role to the Logic App.

    2. Verify Key Vault Access for the Logic App

    Make sure that the Logic App itself has permission to read secrets from Key Vault and that the correct authentication method is being used in the Logic App’s settings.

    3. Check Azure Function Authentication Settings

    If you’ve enabled authentication on your Function App, ensure that it allows managed identity-based authentication for the Logic App. Otherwise, the request might fail due to security restrictions.

    1. Manually Retrieve the Key from Key Vault in the Function App

    Instead of relying on automatic key retrieval, you can test this manually by:

    Making an HTTP request within your Function App to Azure Key Vault using its system-assigned identity.

    Using Azure SDKs or REST APIs to fetch the secret and confirming it works independently of the Logic App.

    5. Check the Function App Logs for More Details

    Navigate to your Function App’s Application Insights logs or Monitor tab in Azure and see if there are any additional details about the internal server error.

    6. Try Using an Azure Key Vault Reference Instead

    Instead of using direct API calls, Azure Functions supports Key Vault references in application settings, allowing secrets to be retrieved securely at runtime.

    Give these a try, and let me know what happens—sometimes the fix is hidden in a small overlooked permission setting.

    I hope these helps. Let me know if you have any further questions or need additional assistance.

    Also if these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

    User's image

    0 comments

Your answer