{"id":9843,"date":"2022-01-21T04:56:05","date_gmt":"2022-01-21T04:56:05","guid":{"rendered":"https:\/\/blog.cloudthat.com\/?p=9843"},"modified":"2024-06-25T11:05:20","modified_gmt":"2024-06-25T11:05:20","slug":"integrating-azure-key-vault-with-azure-function-app","status":"publish","type":"blog","link":"https:\/\/www.cloudthat.com\/resources\/blog\/integrating-azure-key-vault-with-azure-function-app","title":{"rendered":"Integrating Azure Key Vault with Azure Function APP"},"content":{"rendered":"

There are various scenarios where Azure Functions can be utilized; there is a possibility for integrating them with Azure components. However, security measures should be taken during this process to ensure that the credentials are not hacked and stored in the right place. Therefore, Azure Key Vault is necessary to enhance data protection and compliance, boost performance and reduce the latency of the cloud applications.<\/p>\n

In this blog post, we will unveil some techniques to integrate Azure Key Vault with Azure Function App in detail.<\/p>\n\n\n\n\n\n\n\n\n\n
\n

TABLE OF CONTENT<\/strong><\/span><\/h2>\n<\/td>\n<\/tr>\n

1. Function App Creation<\/a><\/td>\n<\/tr>\n
2. Azure Key Vault Creation<\/a><\/td>\n<\/tr>\n
3. Providing Permissions to Function Apps<\/a><\/td>\n<\/tr>\n
4. Accessing All Secrets from Vault using Function App by HTTP Trigger<\/a><\/td>\n<\/tr>\n
5. Conclusion<\/a><\/td>\n<\/tr>\n
6. About CloudThat<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

1. Function App creation<\/h1>\n

Open the Azure portal, search for Function APP in the search bar, and click on the create button.<\/p>\n

\"Azure<\/a><\/p>\n

Select your subscription and create a resource group (if not exist) and fill in the remaining details as below.<\/p>\n

\"Azure<\/a><\/p>\n

Leave the remaining fields as default and click on the Review + create button and click the<\/strong> create<\/strong> button.<\/p>\n

2. Azure Key Vault creation<\/h1>\n

Open the search bar, search for Key Vault, and click on the create button.<\/p>\n

\"Azure<\/a><\/p>\n

Fill in the details of Subscription, Resource Group, Vault Name, Region<\/strong> and leave the remaining fields as default and click on the Review + Create button so that it will validate your deployment details. Once your validation is successful, then click on Create button, it will start your deployment.<\/p>\n

3. Providing Permission to Function App<\/h1>\n

Go to your Function App that you have created earlier; if you scroll down in the left pane, you can see an option called Identity <\/strong>click on it.<\/p>\n

\"\"<\/a><\/p>\n

You can see an option System Identity; <\/strong>by default, the status of System Identity will be Off,<\/strong> so turn the status to On. <\/strong>Now Object ID will be generated to the Function App, copy the Object ID and go to the Key Vault you have created before.<\/p>\n

\"Azure<\/a><\/p>\n

Click on Access Policies and Add Access Policies.<\/p>\n

\"Azure<\/a><\/p>\n

Fill in the details as mentioned below and ensure that key permissions contain GET, LIST<\/strong> permissions. Click on Select Principle<\/strong>, paste the Object ID of Function APP, select your Function App, and click on the Add<\/strong> button.<\/p>\n

\"Azure<\/a><\/p>\n

Now your Function has enough permissions to read all secrets from the Key Vault. We will create some secrets and try to fetch them using the Function APP.<\/p>\n

\"Azure<\/a><\/p>\n

Click on Secrets Pane that can be visible in the left pane of the vault home page. Next, click on Generate\/Import button on top and provide the Name and values of your secret and click on create button. Now your secrets are encrypted and stored.<\/p>\n

4. Accessing all secrets from Vault using Function App by HTTP trigger<\/span><\/h1>\n
import azure.functions as func\r\nimport logging\r\nimport os\r\nfrom azure.identity import ManagedIdentityCredential\r\nfrom azure.keyvault.secrets import SecretClient\r\n\r\ndef main(req: func.HttpRequest) -> func.HttpResponse:\r\n    logging.info('Python HTTP trigger function processed a request.')\r\n\r\n    \r\n    identity = ManagedIdentityCredential()\r\n    secretClient = SecretClient(vault_url=\"https:\/\/vaulttest888.vault.azure.net\/\", credential=identity)\r\n    #return func.HttpResponse(f\"Hello, the Secret key value for {SecretName} is {secret.value}\")\r\n    secret_properties = secretClient.list_properties_of_secrets()\r\n    Secret_list={}\r\n    for secret_property in secret_properties:\r\n        secret_property.name\r\n        secret = secretClient.get_secret(secret_property.name)\r\n        Secret_list[secret_property.name]=secret.value\r\n    return func.HttpResponse(f\"{Secret_list}\")\r\n<\/pre>\n
The code mentioned above will fetch all the secrets and secret values in the form of key-value pair and in the twelfth line please make sure that you can replace the URL with your Vault URL available at your vault home page.<\/p>\n
If you run the above code, it will fetch all the secrets of your Vault in the form of key-value pair.<\/p>\n
5. Conclusion<\/h1>\n
A secret can be anything from API keys, passwords, security certificates, or cryptographic keys. In the digital era, password loss and security certificate expiration can have a significant impact on business. Azure Key Vault is a cloud service for securely story credentials and accessing secrets. Learn more about Azure Key Vault and other Microsoft Azure services on this site. If you have any queries about Azure Key Vault or Azure Function Apps, drop a message in the below comment section, and I will get back to you quickly.<\/p>\n
6. About CloudThat<\/h1>\n
CloudThat provides end-to-end support with all the Azure services. CloudThat being the\u202f<\/span><\/span>Microsoft Gold Partner<\/span><\/span><\/a>\u202fand pioneer in\u00a0<\/span>C<\/span>loud training and Consulting in India since 2012 is the right ally for you<\/span>.\u00a0<\/span><\/span>We are on a mission to build\u00a0a robust\u00a0cloud computing ecosystem by disseminating\u00a0knowledge on technological intricacies within the cloud space. Read more about\u00a0CloudThat\u2019s Consulting and Expert Advisory.<\/strong><\/a><\/p>\n","protected":false},"author":238,"featured_media":10057,"parent":0,"comment_status":"open","ping_status":"open","template":"","blog_category":[3606,3607],"user_email":"shaikb@cloudthat.com","published_by":"324","primary-authors":"","secondary-authors":"","acf":[],"_links":{"self":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/9843"}],"collection":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/users\/238"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/comments?post=9843"}],"version-history":[{"count":1,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/9843\/revisions"}],"predecessor-version":[{"id":46074,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/9843\/revisions\/46074"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/media?parent=9843"}],"wp:term":[{"taxonomy":"blog_category","embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog_category?post=9843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}