This article is part of #ServerlessSeptember. You'll find other helpful articles, detailed tutorials, and videos in this all-things-Serverless content collection. New articles are published every day — that's right, every day — from community members and cloud advocates in the month of September.
Find out more about how Microsoft Azure enables your Serverless functions at https://docs.microsoft.com/azure/azure-functions/.
You should never store secrets in code. But what if your function need access to a secret, ie. a connection string to a storage blob? You can store those secrets in Azure KeyVault and securely reference said secrets in your function app.
The rest of this article is going to show you how to set this up without using Azure Portal.
If you want to learn more about how to better secure your function app, take a look at this article by Function PM Matthew
a lightweight and flexible command-line JSON processor that I promise you'll be using over and over again
This can either be done through
Serverless framework - recommended since this article is building upon the sample app walk through from yesterday
All the scripts I mentioned below can be find in this accompanying repo
Feel free to change the chosen resource name in the scripts to something else, but beware that different resource have different naming restrictions.
Refer to the Azure resources naming convention guide if you're having trouble using
your desire values.
az account show # list all subscriptions you have access to az account set --subscription <SUB_ID> # id of the sub you want to use az login
git clone email@example.com:mydiemho/myho-serverless-demo.git cd myho-serverless-demo
The script will create a resource group and a keyVault.
./scripts/add-secrets.sh AwesomeSecret AwesomeSecretValue
The script takes 2 inputs: the secret key and the secret value. If you do not pass in any inputs, the default key and value will be used.
Take note of the
secret url in the output, you'll need it in a later step
In order for the app the reference keyVault secrets, you have to add the app to the keyVault's access policies.
The steps involved in doing this is:
Adding a system-assigned identity to the function app 1
Add this identity as access policy to keyVault
You'll have to first deploy a function app, then you can using the following script to grant access to the app
./scripts/grant-app-access.sh <APP_RESOURCE_GROUP> <APP_NAME>
Once the script finish, you can check the portal and see that a new access policy has been added to the function app
We'll add the keyvault secret reference as an app setting *. App settings are available as environment variables to function handlers.
Using serverless, anything under the
environment section will be created as app settings.
Make sure to replace the url with the one generated in add secrets
# see https://github.com/mydiemho/myho-serverless-demo/blob/master/serverless.yml#L29 environment: # these will be created as application settings SUPER_SECRET: "@Microsoft.KeyVault(SecretUri=https://myho-serverless-demo-kv.vault.azure.net/secrets/MySuperSecretName/88df087331004326994047248b0b6b67)"
You can either update the handler code for one of the function or create a new function. For this example, I choose to create a new function called
add the following section to your yaml below existing functions
# see https://github.com/mydiemho/myho-serverless-demo/blob/master/serverless.yml#L93 secrets: handler: src/handlers/secrets.printSecrets events: - http: true x-azure-settings: methods: - GET authLevel: anonymous
Add a new file
Once you've done all the set up, you're now ready to test out your new function app that is referencing KeyVault
If you're having trouble deploying, refer to this article to make sure you have done all the pre-requisites
After deploy, you can hit the function url, apim url, or using the
invoke command to test your changes.
➜ sls invoke -f secrets Serverless: Logging into Azure ... Serverless: Invoking function secrets with GET request Serverless: "Shhhhh.. it's a secret: ItIsASecret"