Secure Azure Functions App Setting Using Azure Key Vault

In this article, you will learn how to secure Azure functions appsetting using Azure key vault.

To keep your secure information like connection string, password, etc. in a more secure way,  we have Azure Key Vault.
 
Azure Key Vault is a secure way of storing keys, certificates, and secrets so that the application can access it when needed.
 
Microsoft Azure Key Vault is a cloud-hosted management service that allows users to encrypt keys and small secrets by using keys that are protected by hardware security modules (HSMs).
 

Azure Key Vault helps solve the following problems

 
Secrets Management
 
Azure Key Vault can be used to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
 
Key Management
 
Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
 
Certificate Management
 
Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
 

Store secrets backed by Hardware Security Modules

 
The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validates HSMs
 
Secure Azure Functions App Setting Using Azure Key Vault 
 
Below are the steps in my article,
 
Step 1 - Create an Azure Key vault with the secret key
 
Open Azure Portal here.
 
Search Key Vaults -> Select Key Vaults
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Select Key Vaults and click on + Add (To Create New Key Vaults)
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Now click on Access Policy
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Fill in all required values and leave the rest as default.
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Click on Create.
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Azure Key Vault has been created.
 
Now add a secret here. So from the left side menu click on Secret.
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Secure Azure Functions App Setting Using Azure Key Vault
 
A new Secret has been added. Now click on this newly-created secret.
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Click on the current version
 
Here you can find out your Secret Identifier URI.
 
https://keyvaultdevdemotest.vault.azure.net/secrets/DBConnectionString/a520325d428240888836fabcc8669609
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Key Vault with a Secret has been created. Now Deploy your Azure Function, which will use your secret.
 
In Azure Portal, Navigate to Azure Function App:
 
Secure Azure Functions App Setting Using Azure Key Vault
 
In networking click on Identity:
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Here make sure, Under (System assigned) Identity – Status is On.
 
Azure Function
 
"A system assigned managed identity enables Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control. The lifecycle of this type of managed identity is tied to the lifecycle of this resource. Additionally, each resource (e.g. Virtual Machine) can only have one system assigned managed identity."
 
Save and close it.
 

Now Time to Grant Access Function App to Key Vault

 
Open your Key Vault again -> Click on Access Policies from Left Side Menu:
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Secure Azure Functions App Setting Using Azure Key Vault
 

Add – An Azure Function Application setting

 
From Azure Key Vault copy Secret Identifier key,
 
https://keyvaultdevdemotest.vault.azure.net/secrets/DBConnectionString/a520325d428240888836fabcc8669609
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Now open Azure Function Configuration pane:
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Click Ok to Save
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Application Setting has been added.
 
Now so code to use this application-setting key in your Function App Code in Visual Studio Code:
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Now Publish your Code:
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Now Check in Azure Portal:
 
Secure Azure Functions App Setting Using Azure Key Vault
 
Now hit URL in a Browser
 
Secure Azure Functions App Setting Using Azure Key Vault