If you just want to hide your Azure SQL connection string in your Azure function , using Azure Key Vault and MSI will be the best practices here : just saving your Azure SQL connection string as a secret in Azure key vault and follow this guide to do some configs on your Azure function will meet your requirement: your creds will never appears in your Azure function.
I created a key vault and stored my SQL sever connection string in Azure key vault as a secret,note the secret identifier as we will use it later :
Go to your key vault,config a access policy for your function msi to make sure that your function can access the secret :
save it after your config :
This is my python demo code , it is easy as you can see , I am reading "SQLConn" from Azure web app :
import logging
import os
import azure.functions as func
import pyodbc
def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
cnxn = pyodbc.connect(os.environ["SQLConn"])
cursor = cnxn.cursor()
cursor.execute("select @@version")
row = cursor.fetchall()
return func.HttpResponse(str(row))
Let's set its value in app settings :
The value should be :
@Microsoft.KeyVault(SecretUri=<secret_uri_with_version which you noted from key valut>)
With the steps done , your azure function will be able to get SQL connection string from key vault and it will not appreared in your function app settings and there is no code need to change .
Btw, if you still want to use MSI to get access token to connect to your Azure SQL , I have a new demo posted here , which will be helpful for you.