Home › Azure AZ-204 › cloudcomputing › az204security › An Azure Function needs to read a secret from Ke…
An Azure Function needs to read a secret from Key Vault on every cold start. What's the MOST secure recommended pattern?
AUse a managed identity on the function + a Key Vault access policy granting `Secret Get` to that identity; fetch via the Azure SDK
BEmail the secret to every developer
CDisable IAM on Key Vault entirely
DHard-code the secret in `local.settings.json` and commit it
Answer & Solution
Correct answer: A. Use a managed identity on the function + a Key Vault access policy granting `Secret Get` to that identity; fetch via the Azure SDK
MSI + Key Vault policy is the canonical secret-bootstrap pattern. The other options leak secrets or remove auth.
Related questions
Which Azure feature continuously scans App Service / Function code for known vulnerabilitiWhich type of Microsoft Identity token does a client present to a downstream API to prove Which configuration lets an Azure Function access a SECRET stored in Key Vault via an App An Azure Web App needs to authenticate users with Entra ID without writing OAuth code. WhiWhich Azure feature lets an admin grant a role assignment that's only ACTIVE for an approvWhich Azure feature lets a developer call `DefaultAzureCredential` from the Azure SDK and Which configuration gives an Azure VM, App Service, or Function App an identity to call KeWhich Azure service handles consumer/customer-facing identity (B2C) — sign-in for end user