Secure your Environment Variable inside Azure Function using Key Vault

In the previous blog, we learn about how to use the Environment variable in Azure Function. Environment variables are most important and confidential as they might contain the system credentials or configure that you don’t want any to access directly. The most unsecure way to store them is directly inside the Configuration of Azure function so in this blog we will see how to store the Environment variable inside the Key Vault and use the Key Vault reference in Configuration.

You can create an Azure function and use Environment Variable to do so do refer to my previous blog:

Step 1: Create a Key Vault

Login to Azure Portal and click on + Create a resource called “Key Vault”.

Click on Create

You can create a new resource group or select the existing group based on your preference. (You can create all resources related to a single project in one resource group so that it will easier to manage resources project wise)

You need to set up the Access policy during the creation or after creating the Key Vault. We will set up an access policy for Azure Function later in the blog.

Step 2: Set an Access policy for Azure Function.

Open the Azure Function in which you want to use the reference of Azure Key Vault. Navigate to Identity Tab and toggle System assigned status to “ON”. Copy the Object (Principle) ID as we are going to use it during adding access policy.

Open Azure Key Vault and Navigate to the Access Policies section.

Click on + Add Access Policy

We will only Add Get Permission in the Secret permissions section. You need to only add the permission that you want to allow your Azure Function can perform.

Select the Principle User. Copy the Copied “Object ID” into search it will be easier to find it.

Click on Add. Once you will add a resource in the access policy, it will allow your resource (Azure Function) to perform a Get operation on all the secrets from Key Vault.

Do not forget to Save after you add the policy.

Step 3: Add Secret and Configure it inside Azure Function

Navigate to the Secrets section and Click on + Generate/Import

Enter the Name and Value(Credentials/Configuration)

Open the current version and Copy the secret URL as it will be required while configuring the Reference.

Navigate to the Configuration section of Azure Function.

Change the Configuration and add the KeyVault Reference as below:

@Microsoft.KeyVault(SecretUri=<Copied SecretURL>)

Do not forget to Save after changing the configuration

Step 4: Testing using Postman

We will require the API testing tool, here I am using Postman and the following is the link to download “Postman”. https://www.postman.com/downloads/ Copy the Function URL and send a post request. As result, you will notice the username is coming from KeyVault as we have to change the configuration.

Conclusion:

This is how you can secure your Environment Variable using Azure KeyVault. You can set up multiple KeyVault for different deployment and access policies depending on the requirement. When you are storing the Credentials and Configuration in KeyVault, you just need to set up the Access policy. All configuration is managed by the Azure Admin and if origination has a policy that they don’t want to share the credentials they can follow this process and only share the KeyVault URL with the developer so that they only need to configure it.


Share Story :