在 Blob 连接上的 Azure Function 中将 Key Vault Secret 与 Binder 结合使用

Question

I found this code sample to add a connection to Blob storage and write some text to a file but the connection information depends on environment variable name that contains your connection string. I can't figure out how to instead provide a key vault secret reference that contains the connection string instead of having to use the environment variable name with the connection string.

using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Host.Bindings.Runtime;

public static async Task Run(string input, Binder binder)
{
    var attributes = new Attribute[]
    {    
        new BlobAttribute("samples-output/path"),
        new StorageAccountAttribute("MyStorageAccount")
    };

    using (var writer = await binder.BindAsync<TextWriter>(attributes))
    {
        writer.Write("Hello World!");
    }
}

I can get the connection string from my key vault with code like below but I don't know how to provide that to the Binder to use.

string StorageConnectionString = GetSecrets(Environment.GetEnvironmentVariable("StorageAccountSecretUrl")).Result.Value;

The function called is below:

        private static async Task<SecretBundle> GetSecrets(string Url)
        {
            AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
            KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            return await keyVaultClient.GetSecretAsync(Url).ConfigureAwait(false);
        }

The objective is to only use my key vault secrets for changes to the connection string and to keep the connection strings out of the configuration file.

Answer 1

Take a look at this MS doc called "Use Key Vault references for App Service and Azure Functions" ( https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references ).

This technique basically allows you to use Key Vault without materially changing your Function code. You keep the reference to an app settings variable in your function (for the Binding to use), but that app setting in turn is a pointer to a Key Vault secret. The system takes care of "translating" that pointer to the secret at runtime. The process does involve creating a managed identity for the app service/function to have permission to access the Vault.