×
  1. Home
  2. Knowledge Base
  3. Automation
  4. Automation Course Part 8 – Use Azure KeyVault to store secrets for your automation

Automation Course Part 8 – Use Azure KeyVault to store secrets for your automation

As you build out serverless automation, it’s critical to never store secrets in code, including passwords and API keys.

Azure Functions allows you to store secrets and configuration settings securely using the Azure KeyVault service.

Azure KeyVault is a cloud-based service that provides a secure storage location for secrets, such as passwords, API keys, and certificates. It can be used to safeguard your application secrets and keys, and help you comply with security and compliance standards.

Here are the steps to use Azure KeyVault to secure secrets associated with an Azure function:

Step 1: Create a KeyVault

The first step is to create a KeyVault in the Azure Portal or using PowerShell. For example, to create a KeyVault using PowerShell, you can use the following command:

New-AzKeyVault -Name <keyvault-name> -ResourceGroupName <resource-group-name> -Location <location>

Step 2: Create Secrets in KeyVault

Next, create secrets in the KeyVault that you want to use in your Azure Function. This can be done using the Azure Portal or using PowerShell. For example, to create a secret in PowerShell, you can use the following command:

Set-AzKeyVaultSecret -VaultName <keyvault-name> -Name <secret-name> -SecretValue <secret-value>

Step 3: Grant Permissions to Function App

Now, grant permissions to the Function App to access the KeyVault. This can be done in the Azure Portal [link to MS docs] or using PowerShell. For example, to grant permissions using PowerShell, you can use the following command:

Set-AzKeyVaultAccessPolicy -VaultName <keyvault-name> -ObjectId <object-id-of-function-app> -PermissionsToSecrets get

This command grants the Function App permission to read secrets from the KeyVault.

Step 4: Use Secrets in Azure Function

Finally, use the secrets in your Azure Function. There are two ways to access the secrets natively in your function:

  • Using $env:

When you add a secret to the Function App configuration, it is automatically added to the environment variables of the Function App. You can access the secret in your function code using the $env variable. For example, if you added a secret named MySecret to the Function App configuration, you can access it in PowerShell using the following code:

$secretValue = $env:MySecret
  • Using Function App configurations:

You can also use Function App configurations to access the secrets in your function code. This approach allows you to define a mapping between the secret name and the configuration key, so you can access the secret using the configuration key. For example, if you added a secret named MySecret to the KeyVault, you can access it in PowerShell using the following code:

$secretValue = Get-AzKeyVaultSecret -VaultName <keyvault-name> -Name <secret-name> -AsPlainText
Set-AzWebApp -ResourceGroupName <resource-group-name> -Name <function-app-name> -AppSettings @{"MyConfigKey" = $secretValue}

This code retrieves the secret value from the KeyVault and sets it as a configuration setting named MyConfigKey for the Function App.

Related Articles