In this post, we’ll walk through how you can use Azure Key Vault to secure sensitive settings in Azure Functions. If you don’t have a Key Vault setup, I covered setting one up in the post titled ‘Setup Code Signing Certificates in Azure Key Value’
Azure Key Vault
Setting up a Secret
If you have secrets set up in your Key Vault you jump to Secret Details. If not, let’s create a secret in your Key Vault. In the Azure Portal, got to your Key Vault and click on
Secrets in the Settings section on the left.
- Click on
+ Generate/Importand you will come to the ‘Create a secret’ blade.
||Choose manual unless you want to upload a certificate|
||Enter the name for the secret, this should be easy to know what the secret is for. Example:
||Enter (paste) the secret value|
|Content Type||Put in an optional content type. This helps when serving the secrets|
|Set activation date?||Unchecked to have it be active when you click
|Set expiration date?||Unchecked to have the secret never expire|
||Whether or not to enable the secret on create|
Now that you have created the secret or already have one, we need to go to secret details to get the Url for the secret.
- Click on the secret name in your Key Vault secrets.
This will take you to blade that looks like this.
- Click on the current version number.
971663857bc3477ab80f0de1335dad65in this screen shot.
That takes you to the secret details
You’ll notice, as in this screenshot, there is a copy button highlighted next to the Secret Identifier that says
Copy to Clipboard. Click that button and paste that Url somewhere. We’ll need it in a future step. In this example, the value is
https://personalsecrets.vault.azure.net/secrets/the-name-of-the-secret/971663857bc3477ab80f0de1335dad65. If you notice, the format of the url is
Granting Access to the Secret
Assuming you have the Azure Function App set up already, click on
Access control (IAM) in the left menu. Note, you may have to go back to the home of your Key Vault to see it.
- Click on
+ Add, then
||We only need read permissions for this|
|Assign access to||
||As you start typing the name, it should start searching for resources that match that|
- Select the match
- Then click save.
Now head over to your Azure Function. In the
Settings group, click on
Configuration. If you need to create the setting click on
+ New application setting, otherwise click on an existing setting.
||The name you want to call the setting|
||This is the vault you copied previously|
The format of the value is
@Microsoft.KeyVault(SecretUri=<secret-url>). Replace the
<secret-url> which whatever was copied from the Key Vault Secrets.
Ok to save the secret. Then click
Save to save the setting(s) to your function. Once the vault is validated, usually in a few seconds, you will see the value in the Source column for that setting change to
Key vault Reference.
That’s it. Your application can now only be viewed by someone with the correct permissions in the Key Vault. However, a developer can see the secret in the code if they log it, I think.