Last week the blog post “Simplifying security for serverless and web apps with Azure Functions and App Service” was published. In essence, it talks about how you can integrate Azure Functions with Azure Key Vault in order to retrieve secrets and import them into the application settings (being environment variables). You can do this in a secure manner, by providing the Azure Functions platform with a Managed Service Identity, and granting its underlying service principle with (limited: list & read) rights to the Key Vault.
Let’s take a look!
The first thing we’ll need to do, is to enable the “Managed service identity” for our Azure Function plan. Let’s browse to our Azure Function plan, and then select “Platform features”.
Navigate to “Managed service identity”, and put “Register with AAD” on “On”, and press save.
Next it’ll say that the registration was completed sucesfully.
Now, within your key vault, you can add an access policy by using the newly created “Managed service identity” (vmchooserdevv2 in this case) ;
Grant it “list” & “read” rights to the “secrets”, and press “Save”.
Inside of your key vault, you can prepopulate your settings.
For the next step, you’re going to need the “URL” of the specific secrets… This you can find by browsing to the secret, then navigating to the version you want, and then copy the URL from there…
So now that we know where to find those… We can integrate them into Azure Functions.
If (like me), you already had something in place, then you can simply replace the “value” of the application settings with the following syntax ;
Like this …
Once done, let’s test our function… and it works!
As I was a bit too eager, I had put all my app settings into Key Vault. Apparently the “WEBSITE_” variables don’t like to be put inside of key vault.
So leave them as is, and don’t do the same as I did here…
Azure Key Vault (and linked to it; Managed service identity) is one of those services you learn to appreciate when using it. By leveraging this integration, I can secure my secrets more tightly and have a central management of my settings. I don’t know how you feel by this, but I definitely like it a lot! 😉