How to protect PROD Secrets in Azure Function Code?

0
votes

It would help me immensely if someone could shed light on how to get secrets into PROD code without a developer having Contributor role on an Azure Function.

Acronyms:

  • "SAMI" = System-assigned Managed Identity
  • "Ent Sec" = Enterprise Security Team

Flow (adapted from this Azure Key Vault Doc):

  • Ent Sec team uploads secrets to DEV KeyVault and provides developer with DEV Secret reference
  • Ent Sec team adds SAMI to KeyVault Access Policy (Developer is not in access policy)
  • Developer adds DEV Secret reference to Azure Function App Setting (via local.settings.json or App Settings in Azure Portal)
  • Developer gets DEV code running end-to-end

Visual:

enter image description here

Questions:

  • How is this going to work for PROD code?
    • IF Developer has Contributor role on the PROD Azure Function code, all secrets are visible them; this negates the Azure Key Vault Access Policy (which only allows the App SAMI to access) and the use of Azure Key Vault Secret References.
  • Is there another role that can be granted to Developer?
  • Would Ent Sec be responsible for adding PROD Secrets to the PROD code?
  • Is there a DevOps pipeline that "injects" the correct secret depending on the ENV?
1
azure-functionsazure-keyvaultazure-managed-identity

1 Answers

1
votes

While I don't understand your entire setup... this should be fairly easy by using KeyVault-referenced App Settings: https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

The developer might have access to the app settings, but will only see something like this: @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)

Only the Managed Identity of the App Service / Function App needs to have an access policy in the Key Vault. If the developer does not, they will not be able to see the actual secret.