Use Azure Key Vault with Azure Functions
Instead of storing your secrets in Configuration Variables or (god forbid) hardcoded in your application, you should consider using Azure Key Vault for that.
To set this up is actually pretty easy but can increase your security immensely. It only takes 3 steps:
Create Identity for Function App
Navigate to Identity in your Function app and enable it. Don’t forget to save here. You Know it worked, when you see your apps object id.
Create Key Vault
Next step is to create the Key Vault, which secrets we want to use in our application. To keep it simple use Vault access policy and create a policy for your function app with “Get secrets” permission.
You can skip the upcoming step and create the vault now. After that create your secrets as usual.
Reference secret in Function App
All left to do now is to reference the secrets in our function app. To do that navigate back to your Function App into the Configuration tab. (This is the place were you create your Environment variables) Here you need to create a new application setting.
Here you can see how to reference your Secret. There are essentially two options. You can either use the Uri to the secret or the names of Vault and Secret. Pick one.
@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/) @Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)
Click OK. Back in Configuration screen don’t forget to save. After saving your app setting should look like this.
From here you can use your Key Vault Secret in your application like any other Environment variable.
string mysecret = Environment.GetEnvironmentVariable("MY_SECRET");