In order to be able to use Azure Key vault from Azure functions at first you need to grant permissions to Azure Function app to read data (in our example we will use Secrets i.e. passwords, app secrets, etc. But you also may use the same technique to access keys and certificates which also may be stored there) from Azure Key vault. At first you need to create System assigned identify for your Azure function from Platform features > Identify:
On this page under System assigned tab set status to On:
After that go to Azure Key vault (if you don’t have it yet than create it first) and select Access policies > Add Access Policy. In opened page select Secret permissions > Get:
(if you store keys or certificates in Key vault you have to select appropriate Key or Certificate permissions).
In Select principal choose name of your Azure Function app. Principal will be available in this field only after creation of Function app principal which we made above.
After that your Azure functions will be able to read values from Azure Key vault. Note that you have to keep it in the following format in app settings:
@Microsoft.KeyVault(SecretUri=https://{key-vault-name}.vault.azure.net/secrets/{secret-name}/{id})
Then you may just read this param from app setting and it will be automatically expanded to the actual secret value stored in Key vault.
No comments:
Post a Comment