Viewing Azure Webjob appsettings in locked down production environment

Question

We are using Azure webjobs for various tasks. Dev, Test, Demo and Prod are each on separate Azure subscriptions. We have a Config Management team that controls/locks down access to everything but Dev. They do not want developers being able to view passwords, connection strings, etc on these environments. The problem we have is that for troubleshooting purposes, we need to be able to see certain things in those environments. Even if we cannot see everything, it would be nice to be able to see the names of the appsettings or the connection string value with the password removed. It would also be helpful to have access into Kudu to see webjob logs and such and also to see into the servicebus to see deadletter messages on the queue.

90% of what we need to troubleshoot issues, they don't mind us seeing. The problem we are having is that neither Config Management or us developers have figured out a way for us to have the right permissions in Azure.

Does anyone know how we could set things up so devs can see more things in our Azure Test Subscription without violating policies to not show us passwords,connection strings, etc?

Thanks so much!

Answer 1

There's no "good" way to solve this. The appsettings, Kudu, and WebJobs dashboard are all administrative-level things. Access to one could conceivably give you access to others. For example, the dashboard will show you function arguments, which may contain secrets. AppSettings will have connection strings. Etc. WebJobs doesn't provide any sort of middle ground of filtering.

Answer 2

So using our limited access to Azure Table Services, I wrote a component that, on webjob startup, iterates over the appSettings and connectionStrings in ConfigurationManager, strips out passwords and access keys, then outputs them as a json file into blob storage. That way our team leads will be able to view 95% of the data we need to verify.