KeyVault Secret in Azure Function

KeyVault Secret in Azure Function

Some time ago I discovered that for added security and convenience you can use secrets from KeyVault in Azure function configuration. Sensitive data is more secure and less people can access it.

KeyVault

First, we create KeyVault and enter a secret into it. When we’re done, copy the ‘Secret Identifier‘ we’ll need later.

Azure Key Vault Secrets
Azure key vault copy secret identifier

AppFunction

Now we can create AppFunction. For the app to be able to download secrets from KeyVault, click ‘Add / Edit application setting‘, enter any name and enter the value @Microsoft.KeyVault(SecretUri=<KeyVault_ Secret_Identifier>)

AppFunction - configuration
AppFunction - configuration add KeyVault secret
AppFunction - configuration

For Azure App Function to read the secret, you still need to create an identity for the function and grant it permissions in KeyVault. We create the identity by changing the status to ON and clicking save. We copy ‘Object ID‘ will be needed later.

appfunction identity

We open KeyVault and add a policy by clicking on ‘add Access Policy‘. We only give the necessary Get and List permissions for Secrets, in select principal we add ‘Object ID‘ to our Azure AppFunction.

Azure KeyVault Policies

If we did everything right, then after clicking refresh in the configuration of our function, we should see the value of Key vault Reference with a green mark.

Azure AppFunction KeyVault Reference

More information on Azure function can be found here https://docs.microsoft.com/pl-pl/azure/azure-functions/

More information on Key Vault can be found here https://docs.microsoft.com/pl-pl/azure/key-vault/


If you liked the article, see also my other posts https://lepczynski.it/en/azure_en/azure-keyvault-permanently-delete-a-secret/

Leave a Reply

Your email address will not be published. Required fields are marked *