Azure · azure-web-app · AzureFunctions · Functions · server-less · Serverless · ServicePrincipal · Uncategorized

Key Vault as backing store of Azure Functions

Moim Hossain

If you have used Azure function, you probably are aware that Azure Functions leverages a Storage Account underneath to support the file storage (where the function app code resides as Azure File share) and also as a backing store to keep Functions Keys (the secrets that are used in Function invocations).

Containers

Figure: Storage Account containers – “azure-webjobs-secrets”

If you look inside the container there are files with following contents:

secrets-in-storages

Figure: These JSON files has the function keys

host-json

Figure: Encrypted master keys  and other function keys

I have been in a conversation where; it was not appreciated to see the keys stored in the storage account. The security and governance team was seeking for a better place to keep these keys. Where secrets can be further restricted from developer access.

Of course, we can create a VNET around the storage accountand use private link but that has some other consequence as the content (functions implementations artifacts) stored also into the storage account. Configuring two separate storage account can address this better, however, this can make the setup complicated than it has to be.
A better option could be to store this keys into a Key Vault as backing store – which is a great feature of Azure functions, but I’ve found few people are aware of this due to lack of documentations. In this article I will show you how to move these secrets to a Key Vault.

To do so, we need to configure few Application Settings into the Function App. They are given below:

App Settings name Value
AzureWebJobsSecretStorageType keyvault
AzureWebJobsSecretStorageKeyVaultName <Key Vault Name>
AzureWebJobsSecretStorageKeyVaultConnectionString <Connection String or Leave it empty with Managed Identity configured on Azure Functions>

Once you have configured the above settings, you need to enable Managed Identity on your Azure Function. You will have to accomplish that in Identity section under platform features tab. That is a much better option in my opinion as we don’t need to maintain any more secrets to talk to Key vault securely. Go ahead and turn the system identity toggle on. This will create a service principal with the same name as Azure Function application you have.

managedidentity

Figure: Enabling system assigned managed identity on Function app
Next step is to add a rule to the key vault’s access policies for the service principal created in earlier step.

access policyu

Figure: Key vault Access policy
That’s it, hit your function app now and you will see the keys are stored inside the Key vault. You can safely delete the container from the storage account now.

secretsinkeyvault

Figure: Secrets are stored in Key Vault

Hope this will save time when you are concerned to keep the keys in storage account.
The Azure Function is open sourced and is in GitHub. You can have a look into the sources and see other interesting ideas that you may play with.

Published by Moim Hossain

I develop software that solve problems! All opinions are my own!

6 thoughts on “Key Vault as backing store of Azure Functions

  1. Could you please tell me how do you use these below setting in azure function core and if you can tell me how do we configure “WEBSITE_CONTENTAZUREFILECONNECTIONSTRING” to get value from keyvault
    AzureWebJobsSecretStorageType keyvault
    AzureWebJobsSecretStorageKeyVaultName
    AzureWebJobsSecretStorageKeyVaultConnectionString

    Like

    Reply

    1. Hi, unfortunately the connection string of “WEBSITE_CONTENTAZUREFILECONNECTIONSTRING” can’t be kept in Key Vault – the Function runtime expects this as an Environment Variable.

      Like

      Reply

      1. Thanks for quick response. Just wanted understand few things about the appconfig settings
        I do not want my blob container to store any secrets, I am following as you mentioned

        App Settings name Value

        1) AzureWebJobsSecretStorageType = keyvault (Is this the default value?)
        AzureWebJobsSecretStorageKeyVaultName = (what should it contains, I mean what value should I keep here)
        AzureWebJobsSecretStorageKeyVaultConnectionString = <Connection String or Leave it(in azure portal we can not keep value blank)

        Can you please share some code sample where you have use such settings.

        Like

  2. Does this work with Service app slots using HubName for durable fuctions?
    When i follow these steps, i get a error in Applications Insights “Unable to find an Azure Storage connection string to use for this binding.”

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s