In this article we will generate Managed Service Identity (MSI) for an Azure function and then will use it to connect to Azure key vault securely. It is actually a very great feature. After generating MSI for Azure function and allowing it to access key vault using MSI we no longer need to expose Key vault client Id or secret any where in our code which makes it very secure.
What is Managed Service Identity (MSI)
Managed Service Identity(MSI) creates an identity for any app service in Azure Active directory tenant. After creating an identity for a service it can be used to securely connect to any other resource.Below are the steps for connecting Azure Function App to Key Vault using MSI
Steps:
1. Create an Azure Function App2. Enable MSI in Azure Function App
3. Create a Key vault
4. Access Key vault Secret in Function App
Let's Begin!!
Create an Azure Function App.
1. Log In to Azure Portal (https://portal.azure.com).2. If you already have a Function app created open it or else create a new function app (Refer my blog on creating function app here ).
Enable MSI in Azure Function App
1. Open Platform features of Azure Function and select Identity.
2. In System assigned tab set the status as on and click on save.
3. Select yes on confirmation pop up.
4. It will register the function app with Azure Active Directory and will generate an ObjectId(Guid).
Create Key Vault
1. In the Azure Portal services search for Key Vault and Click on Create Key Vault.
2. Select Subscription and Resource group where you want to create Key vault and provide a name for Key Vault.
3. Click on Review + Create (leave other settings as is).
4. After validation run is successful click on create and let deployment complete.
5. Go to the Key Vault and select Access policies and click on add access policy.
6. Set Secret permissions as Get and List.
7. Click on Select principal and search for your Azure function app and select it.
8. Click on Add and then Save.
9. Now add a new Secret to Key Vault. For this article purpose I am adding a secret as "Demo".
10. Click on Secrets in Settings blade and then click on Generate/import.
11. Add Secret name and value and click on create.
12. Now click on this secret select current version and copy the Secret Identifier value.
13. keep this value saved in a notepad for now. In next step we will see how to get value of this secret in Azure function app.
Access Key Vault Secret in Function App
1. Open Azure Function App in Portal and Click on Configuration.
2. In the Applications Settings Click on "+New Application Setting" and Create a new setting to access the key vault secret.
3. All you have to do is provide the secret value in following format and you will be ready to access the key vault secret in your Azure function Code.
@Microsoft.KeyVault(SecretUri=<SecretIdentifierUri>)
In Our case the value is going to be
@Microsoft.KeyVault(SecretUri=https://demokvcj.vault.azure.net/secrets/Demo/c70c28181e494121a43d68f096ee4e92)
4. Set the secret Uri as your key vault secret uri (that you copied and saved in notepad or copy it again from key vault secret) and you are all good to go. Add this as value in function app settings and click on save.
5. Now all you need to do is get the environment variable value in your code and the value of the secret will be available in your code without any key vault reference.
Environment.GetEnvironmentVariable("DemoSecret")
Note : If you are writing code in visual studio add above settings in "local.settings.json" file.
Comments
Post a Comment