To keep your secure information like connection string,
password etc. in a more secure way, We have Azure Key Vault.
Azure Key Vault is a secure way of storing keys,
certificates, and secrets so that application can access it when needs.
Microsoft Azure Key Vault is a cloud-hosted management
service that allows users to encrypt keys and small secrets by using keys that
are protected by hardware security modules (HSMs).
Azure
Key Vault helps solve the following problems:
- Secrets
Management - Azure Key Vault can be used to securely
store and tightly control access to tokens, passwords, certificates, API keys,
and other secrets
- Key
Management - Azure Key Vault can also be used as a Key
Management solution. Azure Key Vault makes it easy to create and control the
encryption keys used to encrypt your data.
- Certificate
Management - Azure Key Vault is also a service that
lets you easily provision, manage, and deploy public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and
your internal connected resources.
- Store
secrets backed by Hardware Security Modules -
The secrets and keys can be protected either by software or FIPS 140-2 Level 2
validates HSMs
Below are the steps in my article:
- Create an Azure Key Vault
- Create an Secret
- Create a Function App in Azure Portal
- In Key Vault - Add an Access policy for Azure Function
- In Azure Portal Function App - Add Application setting
- Create an Azure function from Visual Studio Code
- Deploy Azure Function
- User Azure function through URL to access Value from Key Vault.
Step
1: Create an Azure Key vault with the secret key.
Open Azure Portal: https://portal.azure.com/
Search Key Vaults -> Select Key Vaults
Image 1.
Select Key Vaults and click on + Add (To Create New Key
Vaults)
Image 2.
Now click on Access Policy
Image 3.
Fill all required values and leave rest as default.
Image 4.
Click on Create.
Image 5.
Azure key Vault has been created.
Now add a secret here. So from Left side menu click on
Secret.
Image 6.
Image 7.
Image 8.
New Secret has been added. Now click on this newly
created secret.
Image 9.
Click on the current version
Here you can find out your Secret Identifier URI.
https://keyvaultdevdemotest.vault.azure.net/secrets/DBConnectionString/a520325d428240888836fabcc8669609
Key Vault with a Secret has been created. Now Deploy your
Azure Function who will use your secret.
Image 10.
In Azure Portal, Navigate to Azure Function App:
Image 11.
In networking click on Identity:
Image 12.
Here make sure, Under (System assigned) Identity – Status is On.
Azure Function:
"A system assigned managed identity enables Azure
resources to authenticate to cloud services (e.g. Azure Key Vault) without
storing credentials in code. Once enabled, all necessary permissions can be
granted via Azure role-based-access-control. The lifecycle of this type of
managed identity is tied to the lifecycle of this resource. Additionally, each
resource (e.g. Virtual Machine) can only have one system assigned managed
identity."
Save and close it.
Now
Time to Grant Access Function App to Key Vault:
Open your Key Vault again -> Click on Access Policies
from Left Side Menu:
Image 13.
Image 14.
Image 15.
Image 16.
Add - An Azure Function Application setting
Fom Azure Key Vault copy Secret Identifier key:
https://keyvaultdevdemotest.vault.azure.net/secrets/DBConnectionString/a520325d428240888836fabcc8669609
Image 17.
Now open Azure Function Configuration pane:
Image 18.
Image 19.
Click Ok to Save
Application Setting has been added.
Image 20.
Time to do code to use this application-setting key in your
Function App Code in Visual Studio Code:
Image 21.
Now Publish your Code:
Image 22.
Now Check in Azure Portal:
Image 23.
Now hit URL in a Browser
Image 24.