Access Key Vault Secrets from Azure functions Using Managed Identity.

Posted on by azsrini

Azure Key Vault

Azure Key Vault is a tool for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. A vault is a logical group of secrets.

i’m not going into Key Vault details in this post. please visit https://docs.microsoft.com/en-us/azure/key-vault/general/overview for more details about Key Vault.

Initially i was using Azure.Security.KeyVault.Secrets Client Library to retrieve secrets , this does the jobs well but have to authenticate and make connection to retrieve secrets. After some research i found out that there is much elegant way by using Managed identity.

Let’s Get started.

i have created a function app and key vault in my azure subscription and also added two secrets UserName and Password.

Managed Identity :

System assigned managed identity should be created for the function app to connect to Key Vault,A system assigned managed identity enables Azure resources to authenticate to cloud services without storing credentials in code.

Key Vault Access policy

Access policy needs to be added to Key Vault for the function app to read secrets.click Add Access policy , select permission and then select Service principal, search for function name and add principal.

Now lets go Add Key vault references, Go to Function App Configuration and Create New Application Settings for Us.

Reference Syntax

A Key Vault reference is of the form @Microsoft.KeyVault({referenceString}), where {referenceString} is replaced by one of the following options:

Reference stringDescription
SecretUri=secretUriThe SecretUri should be the full data-plane URI of a
secret in Key Vault, including a version, e.g., https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931
VaultName=vaultName;SecretName=secretName;
SecretVersion=secretVersion		The VaultName should the name of your Key Vault resource.
The SecretName should be the name of the target secret.
The SecretVersion should be the version of the secret to use.
Copied from : https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#reference-syntax

when the Azure Function – key vault connection is made successfully a green check mark is displayed.

Now that secret reference is added to function app settings , values can be retrieve easily using GetEnvironmentVariable within azure function. i created a sample Httptrigger to read config values and return username and Password(strong password:-)) from Key vault.

Conclusion

In this post we learned how to reference key vault values from function apps without using key vault SDK.Hope you enjoyed it , Stay safe.

Useful links :

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

Thank you
Srinivasa Avanigadda
Twitter : @azsrini

Access Key Vault Secrets from Azure functions Using Managed Identity.

Published by azsrini

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s