Access Azure Key Vault secret in Azure Function

0
votes

I'm building Azure Function in python triggered with Event Grid events, which should be able to gather secret from Kay Vault.

I added system-assigned managed identity to my Function App, and then I was able to pick my App in Key Vault access policies. I gave it permissions like below:

Permissions for function app

(I was trying different combinations at this one)

Also I provided new app setting with reference to mentioned key vault.

reference for key vault

Unfortunetly when i try to check this value from code I'm unable to get this.

logging.info(os.environ)

When I add another app setting, just with plaintext it works great. I will be grateful for any ideas what else can be done.

3
azureazure-functionsazure-keyvault
Which combinations you used? Please try Get and List secret permissions.Anna

3 Answers

1
votes

I couldn't figure out what you want to get with os.environ. I test with function It could work for me.

In function to retrieve key-valut if you already set it in appsettings, you could use Environment.GetEnvironmentVariable("secrest name", EnvironmentVariableTarget.Process) to implement it.

enter image description here

enter image description here

1
votes

You can use the following helper to get the values

namespace AccessKeyVault
{
    public static class GetKeyVaultValues
    {
        [FunctionName("GetKeyVaultValues")]
        public static async Task<HttpResponseMessage> Run([HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)]HttpRequestMessage req, TraceWriter log)
        {
            log.Info("C# HTTP trigger function processed a request.");

            string linkKeyVaultUrl = $"https://keyVaultname.vault.azure.net/secrets/";
            string keyvaultKey = $"KeyVaultKey";
            var secretURL = linkKeyVaultUrl + keyvaultKey;

            //Get token from managed service principal
            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            try
            {
                var clientIdRecord = await kvClient.GetSecretAsync(secretURL).ConfigureAwait(false);

                string KeyvaultValue = clientIdRecord.Value;

                return req.CreateErrorResponse(HttpStatusCode.OK, "Key vault secret value is  :  " + KeyvaultValue);
            }
            catch (System.Exception ex)
            {

               return req.CreateResponse(HttpStatusCode.BadRequest, "Key vault value request is not successfull");
            }

        }
    }
}
1
votes

After hours of tests I found proper way to resolve this one.

In case of problems with Key Vault Reference make sure that App Function used for Azure Function is based on proper Hosting Plan.

enter image description here

Functions on 'Consumption Plan' are unaable to use Key Vault Reference. Same code on 'App Service Plan' works correctly.

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references