Use Azure Key Vault with Azure Functions

Instead of storing your secrets in Configuration Variables or (god forbid) hardcoded in your application, you should consider using Azure Key Vault for that.

To set this up is actually pretty easy but can increase your security immensely. It only takes 3 steps:


Create Identity for Function App

Navigate to Identity in your Function app and enable it. Don’t forget to save here. You Know it worked, when you see your apps object id.

Enable Identity for Azure Function App

Create Key Vault

Next step is to create the Key Vault, which secrets we want to use in our application. To keep it simple use Vault access policy and create a policy for your function app with “Get secrets” permission.

create vault access policy

select get secrets permission

select the identity of your function app you created in the previous step

You can skip the upcoming step and create the vault now. After that create your secrets as usual.

Reference secret in Function App

All left to do now is to reference the secrets in our function app. To do that navigate back to your Function App into the Configuration tab. (This is the place were you create your Environment variables) Here you need to create a new application setting.

create app setting

Here you can see how to reference your Secret. There are essentially two options. You can either use the Uri to the secret or the names of Vault and Secret. Pick one.

@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)
@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)

create reference

Click OK. Back in Configuration screen don’t forget to save. After saving your app setting should look like this.

From here you can use your Key Vault Secret in your application like any other Environment variable.

string mysecret = Environment.GetEnvironmentVariable("MY_SECRET");
Previous
Previous

4 coding concepts you should know as a non-coder

Next
Next

Use Sites.Selected application permission in Microsoft Graph