Access azure key vault from Azure Functions dynamically

1
votes

I am writing a azure functions application in python. It is a http trigger application. The input for the application is userID. 

{  "user":"TEST_USER_1" }

The functions should use the username specified in 'user' parameter and look up the password in azure keyvault and attempt a remote login to one of the service. For this, we need to add the application settings parameter for specific keyvault version BUT these changes are static.

For us, all the users and their passwords are added to azure keyvault And we will keep on provisioning more users.

Now, the challenge is how to dynamically access password for any user specified during API call ? Is it possible to access all the secrets in a keyvault without specifying individual secret version?

1
azureazure-functionsazure-keyvaultazure-function-app

1 Answers

2
votes

Here's what you need to do:

  • create a managed identity for your Azure Function
  • grant permission on Azure Key Vault (Get / List) for the previous identity
  • get access token from Azure AD in your function
  • use the token to retrieve the secret.

Some useful links:

https://docs.microsoft.com/en-us/azure/python/python-sdk-azure-authenticate

https://docs.microsoft.com/en-us/python/api/overview/azure/key-vault?view=azure-python