0

I am building an Azure Function using .net core 3.1>> and inside its local.settings.json, i am storing some sensitive data, as follow:-

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet",
    "SiteUrl": "***.sharepoint.com/",
    "TenantId": "0***",
    "ClientId": "9****",
    "CertificateThumbPrint": "E***",
    "WEBSITE_LOAD_CERTIFICATES": "E***"
  }
}

So can i secure those values and store them inside Azure key vault ? can anyone provide some sample code please?

Second question. now when i deployed those settings to Azure Function and i access the Azure Function Configuration >> i got that those settings are encrypted already, so does this mean that there is no need to store those configuration inside Azure Key vault as seems there are already encrypted and offered over https?

enter image description here

John John
  • 1
  • 72
  • 238
  • 501

1 Answers1

1

So, can I secure those values and store them inside Azure key vault?

Yes, you can store the key-value pairs from local.settings.json file to Azure Key Vault and it is secured with the access policies & set of permissions it has to be configured.

You Cannot retrieve the configuration stored in one Azure Function App Configuration to another Function App Configuration of Application Settings, which is very difficult process.

You can store them in Azure Key Vault because it acts a central repository to many applications for accessing the applications settings, secrets, key-value pairs, certificate passwords stored in it.

  1. Store all the required Secrets (Key-Value Pairs, Application Settings), Certificates, etc., all in the Azure Key Vault:

enter image description here

  1. Provide the Access Policies at what level of permissions this Key Vault configuration should be accessed in the Function App by providing them in Permissions, Principal Options:
    enter image description here

    Then:

enter image description here

  1. You can retrieve the Application Settings stored in key vault to any Azure Function App Configuration in the format of @Microsoft.KeyVault(SecretUri=https://myvaultname.vault.azure.net/secrets/mysecret/). For every secret (app setting/key-value pair) stored in key vault, there will be a unique Secret URI for accessing in the applications. enter image description here

  2. Practical C# Code implementation on storing the Settings in Key Vault, retrieving them to the Azure Function App Configuration - Application Settings and accessing them from the Function (CSharp) Code.

  3. To get the Application Settings directly in the Function Code.

RithwikBojja
  • 5,069
  • 2
  • 3
  • 7
  • 1
    thanks a lot for the detailed info and reply. but regarding my second question, do we need to secure the app settings when deployed to azure? as seems they are already encrypted as shown in the picture i provided..am i correct? – John John Jan 27 '23 at 10:12
  • 1
    @john Gu , yes you are correct,they are already encrypted. – RithwikBojja Jan 27 '23 at 10:17
  • 1
    now as far as i know the local.setting.json will not get deployed to Azure >> and its values will be stored inside the "Azure Configuration" >> "Äpp settings".. so securing the local.setting.json is not needed as the file will not be available/deployed to azure.. am i correct? – John John Jan 27 '23 at 10:20
  • 1
    Yeah, if you want to secure, you can use KeyVault after deploying, The local settings file is not available after Deploying as the values be stored to Apps settings – RithwikBojja Jan 27 '23 at 10:24
  • so no need to secure the "Azure Configuration" >> "App settings". using key vault, am i getting your point correctly ? – John John Jan 27 '23 at 10:29
  • 1
    Yeah you are **Right**, But If you want to secure, you can do that using Key Vault!!!! – RithwikBojja Jan 27 '23 at 10:30
  • but why to secure something which is already secured? – John John Jan 27 '23 at 10:31
  • 1
    You dont need to secure, because you have asked the question(Any way to get more securely) for that you can use KeyVault. Its an Alternative way to do that – RithwikBojja Jan 27 '23 at 10:32