Microsoft Azure Community

How to efficiently manage secrets in Azure Functions using Key Vault?

• JS

  John Smith

  Posted: 2023-10-26 10:30 AM

  Hi everyone,

  I'm working on an Azure Functions project and need to store sensitive information like API keys and database connection strings. I've set up Azure Key Vault, but I'm not sure about the best practices for integrating it with my Functions. Specifically:

  • Should I use Managed Identities or Service Principals?
  • What's the most efficient way to retrieve secrets within the Function runtime?
  • Are there any performance considerations I should be aware of?

  Any guidance or code examples would be greatly appreciated!

  Thanks in advance!

  Reply Quote Report 15 Likes
• AM

  Alice Miller

  Posted: 2023-10-26 11:15 AM

  Hey John,

  Great question! For Azure Functions, using **Managed Identities** is generally the recommended and most secure approach. It eliminates the need to manage credentials for your Function itself.

  Here's a quick example using C# and Managed Identity:

  
  using Azure.Identity;
  using Azure.Security.KeyVault.Secrets;
  
  public static class MyFunction
  {
      private static SecretClient _secretClient;
  
      public static void InitializeSecretClient()
      {
          if (_secretClient == null)
          {
              // Use the default Azure identity credential, which will pick up the Managed Identity
              var credential = new DefaultAzureCredential();
              // Replace with your Key Vault URI
              _secretClient = new SecretClient(new Uri("https://your-keyvault-name.vault.azure.net/"), credential);
          }
      }
  
      [FunctionName("MyFunctionName")]
      public static async Task Run([HttpTrigger(AuthorizationLevel.Function, "get", "post")] HttpRequest req, ILogger log)
      {
          InitializeSecretClient();
  
          try
          {
              // Replace "YourSecretName" with the actual name of your secret in Key Vault
              KeyVaultSecret secret = await _secretClient.GetSecretAsync("YourSecretName");
              string secretValue = secret.Value;
              log.LogInformation($"Retrieved secret: {secretValue}");
              // Use the secret value in your function logic
          }
          catch (Exception ex)
          {
              log.LogError($"Error retrieving secret: {ex.Message}");
          }
      }
  }
                      

  For performance, Key Vault SDKs are generally efficient. You can optimize by caching the SecretClient instance (as shown above) to avoid re-initializing it on every function invocation. Also, consider the retrieval frequency – avoid fetching secrets on every single request if they don't change often.

  Hope this helps!

  Reply Quote Report 5 Likes
• BB

  Bob Williams

  Posted: 2023-10-26 02:05 PM

  Alice, thanks for the code snippet! I've been using Service Principals, but Managed Identity seems cleaner. One question: How do you enable Managed Identity for an Azure Function app?

  Reply Quote Report 2 Likes
• AM

  Alice Miller Best Answer

  Posted: 2023-10-26 03:00 PM

  Bob, to enable Managed Identity for an Azure Function App:

  1. Navigate to your Azure Function App in the Azure portal.
  2. Under "Settings", select "Identity".
  3. Under the "System assigned" tab, toggle the status to "On".
  4. Click "Save".

  Azure will then create an identity for your Function App in Azure Active Directory. You'll need to grant this identity permissions to access your Key Vault (e.g., "Get" secrets).

  You can do this in the Key Vault's "Access policies" or "Access control (IAM)" section.

  Reply Quote Report 8 Likes