Skip to main content

How to keep secrets in Azure Functions?

While doing a code review of an Azure Function I noticed the following line:

var personalAccessToken = Environment.GetEnvironmentVariable("KeyVault_PersonalAccessToken", EnvironmentVariableTarget.Process);

Could it be that the developer directly stored a secret in an environment variable? Instead of using a secure storage like Azure Keyvault?

Inside the configuration on the Azure Portal I found the following:

@Microsoft.KeyVault(SecretUri=https://sample-vault.vault.azure.net/secrets/personal-access-token/<removedthekey>)

Luckily my assumption was wrong and it turns out that is a feature I wasn’t aware of in Azure (Functions).

To use this feature you first have to create a Managed Service Identity for your Azure Functions app as described here: https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#creating-an-app-with-an-identity

Once you have a Managed Service Identity you can add an Access policy in your Azure Keyvault:

Now you can copy the secret identifier from the secret you want to use:

This secret identifier should be added with a special connectionstring to your Azure Function configuration:

 @Microsoft.KeyVault(SecretUri={theSecretUri}).

Thanks Dario for teaching me this trick!

Labels:

Popular posts from this blog

Podman– Command execution failed with exit code 125

After updating WSL on one of the developer machines, Podman failed to work. When we took a look through Podman Desktop, we noticed that Podman had stopped running and returned the following error message: Error: Command execution failed with exit code 125 Here are the steps we tried to fix the issue: We started by running podman info to get some extra details on what could be wrong: >podman info OS: windows/amd64 provider: wsl version: 5.3.1 Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM Error: unable to connect to Podman socket: failed to connect: dial tcp 127.0.0.1:2655: connectex: No connection could be made because the target machine actively refused it. That makes sense as the podman VM was not running. Let’s check the VM: >podman machine list NAME         ...
Read more

Azure DevOps/ GitHub emoji

I’m really bad at remembering emoji’s. So here is cheat sheet with all emoji’s that can be used in tools that support the github emoji markdown markup: All credits go to rcaviers who created this list.
Read more

VS Code Planning mode

After the introduction of Plan mode in Visual Studio , it now also found its way into VS Code. Planning mode, or as I like to call it 'Hannibal mode', extends GitHub Copilot's Agent Mode capabilities to handle larger, multi-step coding tasks with a structured approach. Instead of jumping straight into code generation, Planning mode creates a detailed execution plan. If you want more details, have a look at my previous post . Putting plan mode into action VS Code takes a different approach compared to Visual Studio when using plan mode. Instead of a configuration setting that you can activate but have limited control over, planning is available as a separate chat mode/agent: I like this approach better than how Visual Studio does it as you have explicit control when plan mode is activated. Instead of immediately diving into execution, the plan agent creates a plan and asks some follow up questions: You can further edit the plan by clicking on ‘Open in Editor’: ...
Read more