Azure Functions can be used in many different scenarios. You may also have the option to integrate them with Azure components. To ensure that credentials aren’t hacked or stored in the correct place, security precautions should be taken. Azure Key Vault is required to improve data protection and compliance, increase performance, and reduce latency for cloud applications.
This blog post will detail how to integrate Azure Function App with Azure Key Vault.
TABLE OF CONTENT
1. Function App Creation2. Azure Key Vault Creation3. Permissions for Function Apps Accessing all Secrets from Vault with Function App by HTTP Trigger5. Conclusion6. CloudThat1. Function App creation
Open the Azure portal and search for Function App in the search bar. Click on the Create button.
Select your subscription, create a resource group (if it does not already exist), and then fill in the rest of the details as follows.
You can leave the rest of the fields as is and click on Review + Create button to create.
2. Azure Key Vault creation
Open the search bar and search for Key Vault. Click on the Create button.
Fill in Subscription, Resource Group and Region details. Leave the rest as default. Click on the Review + Create button to validate your deployment details. After validation is complete, click on the Create button to start your deployment.
3. Approval to Function
Go to the Function App you created earlier. Scroll down in the left pane and you will see an option called Identity. Click on it.
The System Identity option is available. By default, System Identity status will be Off. Turn the status to On. The Function App will now generate an Object ID. Copy the Object ID to the Function App and then go to the Key Vault that you created previously.
Click on Access Policies to Add Access Policies.
Fill in the information as below and make sure that key permissions include GET, LIST permissions. Click on Select Principle and paste the Object ID for Function APP. Then click on the Add button.
Your Function now has sufficient permissions to access all secrets in the Key Vault. We will create some secrets, and then try to retrieve them using the Function App.
Click on the Secrets Pane located in the left pane. Next, click Generate/Import button at the top. Enter the Name and Values of your secret and click create button. Your secrets are now encrypted and stored.
4. Access all secrets from Vault via Function App using HTTP trigger
Accessing all secrets from Vault using Function App by HTTP triggerimport azure.functions as funcimport loggingimport osfrom azure.identity import ManagedIdentityCredentialfrom azure.keyvault.secrets import SecretClientdef main(req: func.HttpRequest) -> func.HttpResponse: logging.info(‘Python HTTP trigger function processed a request.’) identity = ManagedIdentityCredential() secretClient = SecretClient(vault_url=”https://vaulttest888.vault.azure.net/”, credential=identity) #return func.HttpResponse(f”Hello, the Secret key value for SecretName is secret.value”) secret_properties = secretClient.list_properties_of_secrets() Secret_list= for secret_property in secret_properties: secret_property.name secret = secretClient.get_secret(secret_property.name) Secret_list[secret_property.name]=secret.value return func.HttpResponse(f”Secret_list”)1234567891011121314151617181920import azure.functions as funcimport loggingimport osfrom azure.identity import ManagedIdentityCredentialfrom azure.keyvault.secrets import SecretClientdef main(req: func.HttpRequest) -> func.HttpResponse:logging.info(‘Python HTTP trigger function processed a request. ‘)identity = ManagedIdentityCredential()secretClient = SecretClient(v