Referencing Azure Key Vault in JSON

0
votes

Apologies if this is a stupid question but is this the correct syntax to refer a secret in a JSON file? For example, here is my local.settings.json file

{
  "IsEncrypted": false,
  "Values": {
    "Token": "@Microsoft.KeyVault(SecretUri=https://test.vault.azure.net/secrets/token/78895416d0f44fdc892d2cb)"
  }
}

I'm trying to deploy an Azure Function through Azure CI pipeline that contains a token that is stored as a secret in Azure Key Vault. Thanks.

1
jsonazure-functionsazure-keyvault
Are you copying the local.settings.json to published folder. Even if you do, it won't be work until written explicitly. If the config settings are also added as Application Settings then the reference syntax will work if the identify of Azure function is added into the KeyVault.user1672994
@user1672994 that local.settings.json is going to be deployed into the App files on the Functions tab along with host.json, profile.ps1, and requirement.psd1. So does that mean the reference syntax that I have written will work then?Jack Rogers
It would only work on Application settings. You can refer this which demonstrates creation of application settings via ARM template.user1672994
Also want to understand even if you are copying the local.settings.json file in the published folder then how are you referring it? Have you added the logic of adding local.settings.json file as configuration provider in the startup or you are using Environment variables to read the configuration settings?user1672994
ahh understood, so i need to add the secret in the Application Setting under Configuration, not adding it into local.settings.json like i did? and for me to automate that, i need to make a JSON template that will provision that like in the docs you linked to me? is that how it should be?Jack Rogers

1 Answers

1
votes

Not really... the syntax you have is Reference syntax that is supported in Azure Function App Settings -> Configuration. While adding an app setting, put the reference syntax as the value(it should match the Secret Identifier of the secret in KeyVault). Once saved the change, you will see the source as "Key vault Reference" of the new setting.

enter image description here

Reference syntax is for production environment (after the Function app is deployed to Azure).

For local dev environment, you can create a local.settings.json file (should be ignored by your source control system, e.g. Git) and put your secret in the file.

{
  "IsEncrypted": false,
  "Values": {
    "FUNCTIONS_WORKER_RUNTIME": "node",
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "token":"secret..." 
  }
}