How Should we use Azure key vault in Function App?

Question

I am planning to use azure key vault in my Azure Function App.

I can see there are below two ways we can use key vault in Azure Function App:

a. Using Reference variable in Configurations

@Microsoft.KeyVault(SecretUri={copied identifier for the username secret})

b. Using .NET SDK

Azure.Security.KeyVault.Secrets
Azure.Identity

Example(using .NET SDK):

static void Main(string[] args)
        {
            string secretName = "mySecret";

            string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
            var kvUri = "https://" + keyVaultName + ".vault.azure.net";

            var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

            Console.Write("Input the value of your secret > ");
            string secretValue = Console.ReadLine();

            Console.Write("Creating a secret in " + keyVaultName + " called '" + secretName + "' with the value '" + secretValue + "` ...");

            client.SetSecret(secretName, secretValue);

            Console.WriteLine(" done.");

            Console.WriteLine("Forgetting your secret.");
            secretValue = "";
            Console.WriteLine("Your secret is '" + secretValue + "'.");

            Console.WriteLine("Retrieving your secret from " + keyVaultName + ".");

            KeyVaultSecret secret = client.GetSecret(secretName);

            Console.WriteLine("Your secret is '" + secret.Value + "'.");

            Console.Write("Deleting your secret from " + keyVaultName + " ...");

            client.StartDeleteSecret(secretName);

            System.Threading.Thread.Sleep(5000);
            Console.WriteLine(" done.");

        }

But my question is, How should i decide which one I should use?

Like it was mentioned in the comments, you don't even need to install the AKV into your Azure Functions. There are more details here (https://stackoverflow.com/questions/62960764/how-to-modify-iconfiguration-natively-injected-in-azure-functions/63124002#63124002) — lopezbertoni, Sep 07 '20 at 18:08

score 2 · Accepted Answer · answered Sep 07 '20 at 08:06

2

A Key Vault reference is of the form @Microsoft.KeyVault({referenceString}), which is only applied on azure portal. While the code sample you provided works well both in portal and local.

For key vault reference, you need to create a system-assigned managed identity for your function app and enable the "Get" permission on this function's service principle for keyvault. While the example use the logged in user as credential, you only need to enable "Get" permission on user for azure keyvault.

answered Sep 07 '20 at 08:06

Joey Cai

18,968
1
20
30

So then should i use .NET SDK? – Rakesh Kumar Sep 07 '20 at 10:42
and also which one is the preferred way to implement key vault in function app? – Rakesh Kumar Sep 07 '20 at 13:36
If you want to test in local and portal, I recommend you use .net sdk. – Joey Cai Sep 08 '20 at 05:51

How Should we use Azure key vault in Function App?

1 Answers1