Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Feature request: retrieve Azure Functions' secrets from Key Vault

See original GitHub issue

All our secrets are in Key Vault so we need a way for Azure Functions to retrieve them from there instead of looking them up in app settings. In function.json, connection strings could referenced using Key Vault URLs:

{
    "disabled": false,
    "bindings": [
        {
            "name": "myQueueItem",
            "queueName": "myqueue-items",
            "connection":"https://xxx.vault.azure.net:443/secrets/yyy",
            "type": "queueTrigger",
            "direction": "in"
        }
    ]
}

Connecting to Key Vault requires us to pass a client cert for app authentication, so the WEBSITE_LOAD_CERTIFICATES app setting will be needed.

Issue Analytics

  • State:open
  • Created 7 years ago
  • Reactions:41
  • Comments:58 (9 by maintainers)

github_iconTop GitHub Comments

19reactions
parad0xchildcommented, Nov 18, 2016

@sjwaight There is another problem with Key Vault not being directly integrated to retrieve keys. While you can code the connection in via Cert, SAS, or other means, if you have a highly scalable Azure Function (thousands of instances at once) you will over load the Key Vault with requests from the same IP address (leaving it with no open ports to fulfill requests). This will result in a failure in your function and an error like “Only one usage of each socket address (protocol/network address/port) is normally permitted”.

What really is needed is for a connection from the Azure Function to Key Vault so that you can define which secret or key you want, the orchestration to pull it out periodically and make it available to the function via an input variable. This will ensure you don’t make tons of unnecessary calls to the key vault resulting in a failure.

7reactions
CrazyTunacommented, Oct 6, 2018

I’ve managed to get this working with Azure Function v2:

How to retrieve Azure Functions secrets from Key Vault

It uses the Microsoft.Extensions.Configuration.AzureKeyVault nuget package

I’ve added a startup script:

using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using System.Linq;

[assembly: WebJobsStartup(typeof(FunctionApp1.WebJobsExtensionStartup), "A Web Jobs Extension Sample")]
namespace FunctionApp1
{
    public class WebJobsExtensionStartup : IWebJobsStartup
    {
        public void Configure(IWebJobsBuilder builder)
        {
            // Gets the default configuration
            var serviceConfig = builder.Services.FirstOrDefault(s => s.ServiceType.Equals(typeof(IConfiguration)));
            var rootConfig = (IConfiguration)serviceConfig.ImplementationInstance;

            // Creates a new config based on the default one and adds the keyvault configuration builder
            var keyvaultName = rootConfig["keyVaultName"];
            var config = new ConfigurationBuilder()
                .AddConfiguration(rootConfig).AddAzureKeyVault($"https://{keyvaultName}.vault.azure.net/").Build();

            // Replace the existing config
            builder.Services.AddSingleton<IConfiguration>(config);
        }
    }
}

So:

  • The function app need to use MSI
  • The function app need to have at least Read/List secrets permissions in the key vault.
  • The keyvaultName settings need to be presetn in your local.settings.json or app settings blade of the function app.
Read more comments on GitHub >

github_iconTop Results From Across the Web

Retrieve Azure Key Vault Secrets using Azure Functions ...
For the purpose of the Azure Function, we only require the principal to be able to Get secrets for the key vault: Complete...
Read more >
Use Key Vault references - Azure App Service
Azure Key Vault is a service that provides centralized secrets management, with full control over access policies and audit history. When an app ......
Read more >
Retrieving Azure Key Vault Secrets using Azure Functions
Learn how to retrieve Azure Key Vault secrets using Azure Functions. Securely access secrets by specifying the Key Vault URL and secret ......
Read more >
Retrieving Azure Key Vault Secrets using Azure Functions
Learn how to retrieve Azure Key Vault secrets using Azure Functions when the built-in Key Vault connector is unavailable on Logic App ...
Read more >
How To Authorize Your Key Vault Secrets To Serverless ...
Go to the Key Vault resource that you want to consume and then click on Secret. Now in our function app, I want...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ServiceBusTrigger doesn't support topic's connection string, requires root's instead

Next page

publish WebJob as a netcoreapp application