在本地开发中使用 azure KeyVault

Question

I have seen other posts on this, but none of the answers seem to work. I have an azure function app that I am developing locally. It uses an app setting to get username/password from the key vault. When deployed to azure, it works perfectly. But developing locally, it is not grabbing the data from the vault.

So in code, I have this:

var password = System.Environment.GetEnvironmentVariable("PASSWORD", EnvironmentVariableTarget.Process);

I have added my user onto the vault access policy, and added the app identity on there also. Which is why it works in azure. I saw this post that mentions setting an environment variable: https://github.com/Azure/azure-functions-host/issues/3907 I tried that, but still no dice. Whenever I call the above code, I just get the setting key back, which looks like this:

@Microsoft.KeyVault(SecretUri=https://mykeyvault.vault.azure.net/secrets/PASSWORD/e97ba4bf3e2e4919b1899384ea349999)

Answer 1

Of course, it will not work, the keyvault reference is just the feature of function app or web app, it does not apply to the local development.

In local, your option is to get the secret via the SDK manually.

var client = new SecretClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential());    
secret = client.GetSecret("secret-name");

The code above uses DefaultAzureCredential of Azure.Identity to auth, it will try several credential types to auth in order, one of them is VisualStudioCredential , means it will use the user account logged in the VS to auth, you can also use VisualStudioCredential instead of DefaultAzureCredential directly in the code.

Besides, the code will also work when you deploy it to Azure, because DefaultAzureCredential will use ManagedIdentityCredential to auth ie use MSI to get the secret(essentially the keyvault reference feature also uses MSI to get the secret), so you can also use it directly rather than this feature, they all depend on yourself.