How to use Azure Key Vault in android

Question

I'm using Azure as cloud storage, i'm able to upload and download the images/files in Azure blob container using following link.

Azure Blob storage

Now to provide security we are planing to use key vault. Using key vault keys need to access the blob storage in azure. There is no information available for android to use key vault. If anyone knows anything please post it.If i miss anything to mention please comment i will update it. I'm new to azure implementation.

Edit:- My goal is to display images in app which are stored in Azure blob storage.Instead of accessing azure storage directly by using Key vault i want to access it. After getting secrete key from key vault how to connect azure with that key?

Answer 1

keys are stored in key vault i want access them and use them to access blob storage

Don't use Azure Keyvault when you're building a mobile app. At least not directly.

You see, we want to keep all app secrets off the device if possible. Even if they're never being stored and will only be in memory transiently.

To solve this particular conumdrum, we're still going to take advantage of Keyvault and all it has to offer and put the Azure Storage API key in there.

But instead of having the mobile app directly access the Table storage, we're going to have an Azure Function do that.

For more details, you could refer to thisarticle .

Answer 2

A small bit of anatomy, in case you're not very familiar with azure cloud: we have Azure Function -> block of executable code, triggered by a http request or other (eg database triggers) and Azure Function App which is an umbrella for having multiple functions.

1. Azure Functions have different levels of security: anonymous, function and host keys https://learn.microsoft.com/en-us/azure/azure-functions/security-concepts?tabs=v4
2. By creating an Azure Function App , you can secure the function app itself with the OAuth2 protocol https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization

if you're using other cloud providers, like gcp you can also authenticate with a federated token, see https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation-create-trust-gcp?tabs=azure-cli%2Ctypescript

Because you created this authentication flow, even if your function doesn't have a key (your function security is anonymous ), the function app (which you need to authenticate to with OAuth2 flow) can now call the unprotected function URI.

One more note, to actually grasp this, try creating a FunctionApp yourself, where you disable authentification, and if you access the link, you'll see no credentials requirement and check if by copying your AzureFunction uri that you can call the function (anonymous level security).

Now add authentification on FunctionApp and see for yourself that you can no longer call the AzureFunction.

To sum uphttps://codemilltech.com/mobile-apps-azure-keyvault-dont-do-it/

Now you no longer have to manage secrets, or api codes in your app. All your api's codes and secret now reside where they should - your backend.

Sorry for the wrong answer, I know it might be a bit redundant but this is how I understood the entire access of an Azure Resource(keyvault) through an Azure function which is under the umbrella of Function App , which counterintuitively has the security level to anonymous.