Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add a SecretStorageProvider for Key Vault that uses Azure.Identity
See original GitHub issueWhat problem would the feature you’re requesting solve? Please describe.
The existing Key Vault provider makes use of a library that is considered deprecated.
Describe the solution you’d like
Azure.Identity is the better choice for a dependency here, and it allows us to collapse the configuration, relying just on a single connection name. Microsoft.Extensions.Azure might be the best way to bring this in. This aligns with general design for referencing identities. User-assigned support is notable as still TBD from a configuration perspective, but should be handled by that connection abstraction.
Note that this must be a new provider within the host 3.0 context, as it would be a breaking change against the existing provider. In a future major version, the existing provider could be dropped in favor of this one.
Issue Analytics
- State:
- Created 3 years ago
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Relevant area: https://github.com/Azure/azure-functions-host/blob/08269604939797bf30b52c4dcb7077a2d57fc87b/src/WebJobs.Script.WebHost/Security/KeyManagement/KeyVaultSecretsRepository.cs
Uses: using Microsoft.Azure.KeyVault.Models; using Microsoft.Azure.Services.AppAuthentication; using Microsoft.Extensions.Logging; using Microsoft.IdentityModel.Clients.ActiveDirectory;
Desired instead:
Migration guide: https://docs.microsoft.com/en-us/dotnet/api/overview/azure/app-auth-migration
I note that the provider does in fact have a
connectionStringparameter which I think we mapped to a setting somewhere although it wasn’t doc’d. But those environment variables would need to be different now: https://github.com/Azure/azure-functions-host/blob/08269604939797bf30b52c4dcb7077a2d57fc87b/src/WebJobs.Script.WebHost/Security/KeyManagement/DefaultSecretManagerProvider.cs#L72-L73Other components in the system make use of https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/extensions/Microsoft.Extensions.Azure as an abstraction. This has a number of benefits, including using DefaultAzureCredential unless config is provided for a user-assigned identity. That makes use of a different config format though which may be a better replacement.
Closing as #7683 merged, @mattchenderson feel free to reopen if I missed anything