Accessing Azure App Configuration using Managed Identity in Azure Functions is slightly different from accessing other Azure services.
For most Azure services (Storage, Service Bus, Key Vault), you typically:
- Enable Managed Identity on the Function
- Grant RBAC access to the resource
- Create the SDK client using DefaultAzureCredential
However, App Configuration is usually loaded as part of the application configuration pipeline at startup, so it must be added via the host builder.
Prerequisites
- Enable Managed Identity on the Function App
- Grant the identity: App Configuration Data Reader on the App Configuration resource
Sample code as shown below
var host = new HostBuilder()
.ConfigureAppConfiguration(builder =>
{
string cs = Environment.GetEnvironmentVariable(“ConnectionString”);
builder.AddAzureAppConfiguration(options =>
options.Connect(new Uri(@“https://appconfiguri.azconfig.io”), new ManagedIdentityCredential()));
})
.ConfigureFunctionsWebApplication()
.Build();
host.Run();
Note: I’m using ManagedIdentityCredential but the recommend class is DefaultAzureCredential
Key Insight
- Other Azure services → authenticated when creating the client
- App Configuration → authenticated when building the configuration provider. That’s why it must be configured inside
ConfigureAppConfiguration().