通过 KeyVault 从 Azure 函数连接到 SQL Server

Question

I try to connect to sql server from a local azure function by using key vault secrets. I set up a functions startup class to configure the connection:

[assembly: FunctionsStartup(typeof(MyNamespace.Startup))]
//namespace
public class Startup : FunctionsStartup
{
    public Startup()
    {
    }

    public override void Configure(IFunctionsHostBuilder builder)
    {
        string basePath = IsDevelopmentEnvironment() ?
            Environment.GetEnvironmentVariable("AzureWebJobsScriptRoot") :
            $"{Environment.GetEnvironmentVariable("HOME")}\\site\\wwwroot";

        var configurationBuilder = new ConfigurationBuilder()
            .SetBasePath(basePath)
            .AddJsonFile("local.settings.json", optional: true, reloadOnChange: false)  // secrets go here. This file is excluded from source control.
            .AddEnvironmentVariables();

        var builtConfig = configurationBuilder.Build();

        var azureServiceTokenProvider = new AzureServiceTokenProvider();
        var keyVaultClient = new KeyVaultClient(
            new KeyVaultClient.AuthenticationCallback(
                azureServiceTokenProvider.KeyVaultTokenCallback));

        configurationBuilder.AddAzureKeyVault($"https://{builtConfig.GetSection("KeyVaultSettings")["KeyVaultName"]}.vault.azure.net/",
            keyVaultClient,
            new DefaultKeyVaultSecretManager());

        var builtConfigWithKeyVault = configurationBuilder.Build(); //necessary?

        // Registering services
        builder
            .Services
                .AddScoped<IUnitOfWork, UnitOfWork>()
                .AddDbContext<DomainDbContext>(
                    options => options.UseSqlServer(builtConfigWithKeyVault.GetSection("KeyVaultSettings")["DatabaseConnectionStringSecretName"]));
    }

    public bool IsDevelopmentEnvironment()
    {
        return "Development".Equals(Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT"), StringComparison.OrdinalIgnoreCase);
    }
}

In local.settings.json , I defined the key vault settings:

"KeyVaultSettings": {
    "KeyVaultName": "KeyVault",
    "DatabaseConnectionStringSecretName": "ConnectionString"
}

My problem is that the connection is not set up, because in DBContextOptions, the connection string is "ConnectionString"

public DomainDbContext(IServiceProvider serviceProvider, DbContextOptions<DomainDbContext> options) : base(options)
{
    //options has wrong connection string
}

Is something wrong with the code or is it generally not possible to access key vault from local Azure function?!

Answer 1

If you want to get a connection string from Azure key vault, please refer to the following code

[assembly: FunctionsStartup(typeof(FunctionApp1.Startup))]
namespace FunctionApp1
{
    class Startup : FunctionsStartup
    {
        public override void Configure(IFunctionsHostBuilder builder)
        {
            string basePath = IsDevelopmentEnvironment() ?
            Environment.GetEnvironmentVariable("AzureWebJobsScriptRoot") :
            $"{Environment.GetEnvironmentVariable("HOME")}\\site\\wwwroot";

            var configurationBuilder = new ConfigurationBuilder()
                .SetBasePath(basePath)
                .AddJsonFile("local.settings.json", optional: true, reloadOnChange: false)
                .AddEnvironmentVariables();
            var currentConfiguration = configurationBuilder.Build();
            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            configurationBuilder
                        .AddAzureKeyVault($"https://{currentConfiguration["KeyVaultSettings:KeyVaultName"]}.vault.azure.net/",
                          kvClient, new DefaultKeyVaultSecretManager());
            var keyConfig = configurationBuilder.Build();
           
            var conStr= keyConfig.GetValue<string>(currentConfiguration["KeyVaultSettings:DatabaseConnectionStringSecretName"]);

            builder.Services
                    .AddDbContext<DomainDbContext>(options => options.UseSqlServer(conStr));
           


        }


        public bool IsDevelopmentEnvironment()
        {
            return "Development".Equals(Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT"), StringComparison.OrdinalIgnoreCase);
        }
    }
}

Besides, after you deploy the Function to Azure, we can use Azure key vault reference to simplify your code. For more details, please refer to here and here

For example

1. Enable Azure MSI in Azure function

2. Create an access policy in Key Vault for the application identity you created earlier

3. Add the reference in Azure Function Application Settings

@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)

4. Read the Application Settings in your code