访问 Azure Function 中的 Azure Key Vault 机密

Question

I'm building Azure Function in python triggered with Event Grid events, which should be able to gather secret from Kay Vault.

I added system-assigned managed identity to my Function App, and then I was able to pick my App in Key Vault access policies. I gave it permissions like below:

(I was trying different combinations at this one)

Also I provided new app setting with reference to mentioned key vault.

Unfortunetly when i try to check this value from code I'm unable to get this.

logging.info(os.environ)

When I add another app setting, just with plaintext it works great. I will be grateful for any ideas what else can be done.

Answer 1

You can use the following helper to get the values

namespace AccessKeyVault
{
    public static class GetKeyVaultValues
    {
        [FunctionName("GetKeyVaultValues")]
        public static async Task<HttpResponseMessage> Run([HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)]HttpRequestMessage req, TraceWriter log)
        {
            log.Info("C# HTTP trigger function processed a request.");

            string linkKeyVaultUrl = $"https://keyVaultname.vault.azure.net/secrets/";
            string keyvaultKey = $"KeyVaultKey";
            var secretURL = linkKeyVaultUrl + keyvaultKey;

            //Get token from managed service principal
            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            try
            {
                var clientIdRecord = await kvClient.GetSecretAsync(secretURL).ConfigureAwait(false);

                string KeyvaultValue = clientIdRecord.Value;

                return req.CreateErrorResponse(HttpStatusCode.OK, "Key vault secret value is  :  " + KeyvaultValue);
            }
            catch (System.Exception ex)
            {

               return req.CreateResponse(HttpStatusCode.BadRequest, "Key vault value request is not successfull");
            }

        }
    }
}

Answer 2

I couldn't figure out what you want to get with os.environ . I test with function It could work for me.

In function to retrieve key-valut if you already set it in appsettings, you could use Environment.GetEnvironmentVariable("secrest name", EnvironmentVariableTarget.Process) to implement it.