It would help me immensely if someone could shed light on how to get secrets into PROD code without a developer having Contributor
role on an Azure Function.
Acronyms:
- "SAMI" = System-assigned Managed Identity
- "Ent Sec" = Enterprise Security Team
Flow (adapted from this Azure Key Vault Doc):
- Ent Sec team uploads secrets to DEV KeyVault and provides developer with DEV Secret reference
- Ent Sec team adds SAMI to KeyVault Access Policy (Developer is not in access policy)
- Developer adds DEV Secret reference to Azure Function App Setting (via
local.settings.json
orApp Settings
in Azure Portal) - Developer gets DEV code running end-to-end
Visual:
Questions:
- How is this going to work for PROD code?
- IF Developer has
Contributor
role on the PROD Azure Function code, all secrets are visible them; this negates the Azure Key Vault Access Policy (which only allows the App SAMI to access) and the use of Azure Key Vault Secret References.
- IF Developer has
- Is there another role that can be granted to Developer?
- Would Ent Sec be responsible for adding PROD Secrets to the PROD code?
- Is there a DevOps pipeline that "injects" the correct secret depending on the ENV?