Feature request: retrieve Azure Functions' secrets from Key Vault
See original GitHub issueAll our secrets are in Key Vault so we need a way for Azure Functions to retrieve them from there instead of looking them up in app settings. In function.json, connection strings could referenced using Key Vault URLs:
{
"disabled": false,
"bindings": [
{
"name": "myQueueItem",
"queueName": "myqueue-items",
"connection":"https://xxx.vault.azure.net:443/secrets/yyy",
"type": "queueTrigger",
"direction": "in"
}
]
}
Connecting to Key Vault requires us to pass a client cert for app authentication, so the WEBSITE_LOAD_CERTIFICATES app setting will be needed.
Issue Analytics
- State:
- Created 7 years ago
- Reactions:41
- Comments:58 (9 by maintainers)
Top Results From Across the Web
Retrieve Azure Key Vault Secrets using Azure Functions ...
For the purpose of the Azure Function, we only require the principal to be able to Get secrets for the key vault: Complete...
Read more >Use Key Vault references - Azure App Service
Azure Key Vault is a service that provides centralized secrets management, with full control over access policies and audit history. When an app ......
Read more >Retrieving Azure Key Vault Secrets using Azure Functions
Learn how to retrieve Azure Key Vault secrets using Azure Functions. Securely access secrets by specifying the Key Vault URL and secret ......
Read more >Retrieving Azure Key Vault Secrets using Azure Functions
Learn how to retrieve Azure Key Vault secrets using Azure Functions when the built-in Key Vault connector is unavailable on Logic App ...
Read more >How To Authorize Your Key Vault Secrets To Serverless ...
Go to the Key Vault resource that you want to consume and then click on Secret. Now in our function app, I want...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@sjwaight There is another problem with Key Vault not being directly integrated to retrieve keys. While you can code the connection in via Cert, SAS, or other means, if you have a highly scalable Azure Function (thousands of instances at once) you will over load the Key Vault with requests from the same IP address (leaving it with no open ports to fulfill requests). This will result in a failure in your function and an error like “Only one usage of each socket address (protocol/network address/port) is normally permitted”.
What really is needed is for a connection from the Azure Function to Key Vault so that you can define which secret or key you want, the orchestration to pull it out periodically and make it available to the function via an input variable. This will ensure you don’t make tons of unnecessary calls to the key vault resulting in a failure.
I’ve managed to get this working with Azure Function v2:
How to retrieve Azure Functions secrets from Key Vault
It uses the Microsoft.Extensions.Configuration.AzureKeyVault nuget package
I’ve added a startup script:
So:
keyvaultName
settings need to be presetn in yourlocal.settings.json
or app settings blade of the function app.