Using Azure Key Vault with your application settings (environment variables) powering Azure Functions

Posted on by kvaes

Introduction

Last week the blog post “Simplifying security for serverless and web apps with Azure Functions and App Service” was published. In essence, it talks about how you can integrate Azure Functions with Azure Key Vault in order to retrieve secrets and import them into the application settings (being environment variables). You can do this in a secure manner, by providing the Azure Functions platform with a Managed Service Identity, and granting its underlying service principle with (limited: list & read) rights to the Key Vault.

 

Let’s take a look!

The first thing we’ll need to do, is to enable the “Managed service identity” for our Azure Function plan. Let’s browse to our Azure Function plan, and then select “Platform features”.

Navigate to “Managed service identity”, and put “Register with AAD” on “On”, and press save.

Next it’ll say that the registration was completed sucesfully.

Now, within your key vault, you can add an access policy by using the newly created “Managed service identity” (vmchooserdevv2 in this case) ;

Grant it “list” & “read” rights to the “secrets”, and press “Save”.

Inside of your key vault, you can prepopulate your settings.

For the next step, you’re going to need the “URL” of the specific secrets… This you can find by browsing to the secret, then navigating to the version you want, and then copy the URL from there…

So now that we know where to find those… We can integrate them into Azure Functions.

 

If (like me), you already had something in place, then you can simply replace the “value” of the application settings with the following syntax ;

 

@Microsoft.KeyVault(SecretUri=secret_uri_with_version)

 

Like this …

 

Once done, let’s test our function… and it works!

 

 

Gotcha!

As I was a bit too eager, I had put all my app settings into Key Vault. Apparently the “WEBSITE_” variables don’t like to be put inside of key vault.

So leave them as is, and don’t do the same as I did here…

 

Closing Thoughts

Azure Key Vault (and linked to it; Managed service identity) is one of those services you learn to appreciate when using it. By leveraging this integration, I can secure my secrets more tightly and have a central management of my settings. I don’t know how you feel by this, but I definitely like it a lot! 😉

Published by kvaes

3 thoughts on “Using Azure Key Vault with your application settings (environment variables) powering Azure Functions

  1. Hi Karim, thanks for the great walkthrough. That was very helpful

    Just a quick one, you can keep all connection details in one KeyVault secret keeping the secret value as {“collectionName”, “”, “databaseName”: “”, “userName”: “”, “password”: “”} and then addressing it from Azure Function with JSON.parse(process.env[”]).collectionName etc.

    Reply

  2. Hello Karim,

    I do not have Azure AD rather Azure AD B2C, Can I integrate key vault with MSI using Azure AD B2C? Is KeyVault supported with Azure AD B2C? Please respond

    Reply

    1. To my knowledge the Azure control/management pane only works with AAD (not AAD B2B)

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.