Azure key vault can generate shared access signature tokens. A shared access signature provides delegated access to resources in your storage account. You can grant clients access to resources in your storage account without sharing your account keys. For more details, please refer to here
- Set an account shared access signature definition
$storageAccountName = ""
$keyVaultName = ""
$storageContext = New-AzStorageContext -StorageAccountName $storageAccountName -Protocol Https -StorageAccountKey Key1
$start = [System.DateTime]::Now.AddDays(-1)
$end = [System.DateTime]::Now.AddMonths(1)
$sasToken = New-AzStorageAccountSasToken -Service blob,file,Table,Queue -ResourceType Service,Container,Object -Permission "racwdlup" -Protocol HttpsOnly -StartTime $start -ExpiryTime $end -Context $storageContext
Set-AzKeyVaultManagedStorageSasDefinition -AccountName $storageAccountName -VaultName $keyVaultName -Name "<YourSASDefinitionName>" -TemplateUri $sasToken -SasType 'account' -ValidityPeriod ([System.Timespan]::FromDays(30))
- Configure access policy for Azure Function
Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId "Azure Function MSI object id" -PermissionsToSecrets get,list
- code
public static class Http
{
[FunctionName("Http")]
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
ILogger log, ExecutionContext context)
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
SecretBundle sasToken =await kv.GetSecretAsync(secretIdentifier: "https://testkey02.vault.azure.net:443/secrets/teststorage08-sasToken");
var storageCredential = new StorageCredentials(sasToken.Value);
var accountsStorageName = "teststorage08";
var storageAccount = new CloudStorageAccount(storageCredential, accountsStorageName, "core.windows.net", true);
var tableClient = storageAccount.CreateCloudTableClient();
var table =tableClient.GetTableReference("Customer");
await table.CreateIfNotExistsAsync();
CustomerEntity customer = new CustomerEntity("Harp", "Walter")
{
Email = "[email protected]",
PhoneNumber = "425-555-0101"
};
TableOperation insertOrMergeOperation = TableOperation.InsertOrMerge(customer);
TableResult result = await table.ExecuteAsync(insertOrMergeOperation);
CustomerEntity insertedCustomer = result.Result as CustomerEntity;
return new OkObjectResult(insertedCustomer);
}
}
public class CustomerEntity : TableEntity
{
public CustomerEntity()
{
}
public CustomerEntity(string lastName, string firstName)
{
PartitionKey = lastName;
RowKey = firstName;
}
public string Email { get; set; }
public string PhoneNumber { get; set; }
}