1

I have successfully integrated a secret in a httptrigger. I need to retrieve and parse the secret in a python code.

The following piece of code returns the vault id and not the secret.

  1. How do I get it to output a secret values?
  2. Can the same be done for a queuetrigger?

Httptrigger

import logging
import os
import azure.functions as func


def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    test = os.environ["testkeyvault"]
    return func.HttpResponse(
             "This" + test,
             status_code=200
        )

local.settings.json

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "",
    "FUNCTIONS_WORKER_RUNTIME": "python",
    "testkeyvault": "@Microsoft.KeyVault(SecretUri=https://jjjjj.vault.azure.net/secrets/AzureAuthUrl/xxxxxx)"
  }
}

function.json

{
  "scriptFile": "__init__.py",
  "bindings": [
    {
      "authLevel": "anonymous",
      "type": "httpTrigger",
      "direction": "in",
      "name": "req",
      "methods": [
        "get",
        "post"
      ]
    },
    {
      "type": "http",
      "direction": "out",
      "name": "$return"
    }
  ]
}
wwnde
  • 26,119
  • 6
  • 18
  • 32

2 Answers2

2

For this problem, I test it in my side. You just need to deploy your function to azure, then it will work fine. If you run your function on local, it can't get the key vault.

After you deploy the function to azure, you also need to add it to application settings of your function app. enter image description here

Also do not forget enable the "Identity" of your function app. enter image description here

And then add access policy in keyvault to to allow your function can access the keyvault. enter image description here

enter image description here

By the way, it seems all of your steps are correct. So please notice all of the steps above will get the value of secret stored in my keyvault show as below screenshot. enter image description here So please check if you misunderstood the feature of get keyvault in azure function.

Hury Shen
  • 14,948
  • 1
  • 9
  • 18
  • The end game here is to parse the secret as a password to sign into a portal. The following works well if I am getting the secret from keyvault conventionally (if not integrated in a function); `test= secret_client.get_secret("TestSecret") \n gis = GIS("https://fghy.com", "yyyy", test)`. If integrated within the function as you have shown above, how do I extract `test` as a `string` to parse into the portal? – wwnde Nov 30 '20 at 07:35
  • do you have a minute? – wwnde Dec 01 '20 at 00:58
  • 1
    @wwnde Sorry for the delay, I have something else on hand but I will do some research on it later. – Hury Shen Dec 01 '20 at 01:09
  • that will highly be appreciated. I need to retrieve and use the key within the function and not to have the secret output at the very end. Happy to change to another trigger type if needed. From the following link, I got an impression functions are integrated with vault to make it easy to retrieve and use within function `https://azure.microsoft.com/en-au/updates/azure-functions-key-vault-integration/` – wwnde Dec 01 '20 at 01:25
  • Hi @wwnde After review your comments with Bowman, I'm a little confused about your question. If you want to get the string value from `return func.HttpResponse....`, I think Bowman has provide you [solution](https://i.stack.imgur.com/uTPhb.png). If you want to get the secret in your function again, you can do it easily by another `os.environ["testkeyvault"]`. So what's your requirement ? If neither of two is what you need, could you please create another post and provide more details of your requirement ? – Hury Shen Dec 01 '20 at 07:38
  • could we have a chat maybe between us a solution can be found?. Three days and still stuck – wwnde Dec 03 '20 at 02:28
  • @wwnde Yes, but I need to know your requirement. As I mentioned in last comment, I'm confused about your requirement because it seems your requirement has been implemented already. – Hury Shen Dec 03 '20 at 02:37
  • @wwnde Could you please create another new post and describe what you want to implement detailly ? – Hury Shen Dec 03 '20 at 02:39
  • 1
    maybe I just did not present it as required. What I need is to create a function, which acquires a key vault secret. Uses the key vault secret to log into a portal. Acquire some data and post that data into the http trigger body. I am happy to post a new question if you can help – wwnde Dec 03 '20 at 02:40
  • Sure will post question and alert you – wwnde Dec 03 '20 at 02:44
  • From what is discussed above, is it achievable? – wwnde Dec 03 '20 at 02:44
  • 1
    @wwnde I think it is achievable, but I still want to know more details of your problem. And if I can't solve the problem, maybe other communities on stack overflow will help you for your new post. – Hury Shen Dec 03 '20 at 02:49
  • https://stackoverflow.com/questions/65119379/acquire-keyvault-secret-within-a-httptrigger-and-use-it-to-acquire-info-to-be-ou – wwnde Dec 03 '20 at 03:15
  • 1
    @wwnde Ok, I will check. – Hury Shen Dec 03 '20 at 03:27
  • will appreciate – wwnde Dec 03 '20 at 03:38
  • I have a queue trigger that deposits message to another queue. It works except the message is not deposited to the out queue. I know the funtion works because it does what I need it to do. It writes onto GIS portals and I can see that. Do you have any bindings of queue trigger to queue? – wwnde Dec 22 '20 at 07:10
1

How do I get it to output a secret values?

1, create a secret, set the value, and get the 'secret identifier', set this @Microsoft.KeyVault(SecretUri=<secret identifier>) to the settings of your function app.

2, create a function app identity, and let the function identity access have the corresponding access policy to the keyvault.

Can the same be done for a queuetrigger?

Yes, you can. Basically you can get it from the environment variable as what you do in httptrigger. The value stored in the configuration of the function app will be read as an in-app environment variable. If there is a keystore reference, as long as the reference is successful, the secret will be returned. Otherwise, the original url will be returned

Cindy Pau
  • 13,085
  • 1
  • 15
  • 27
  • how do I modify `return func.HttpResponse(test) )' to give me a string variable say 'k' which I can parse on in the code. tried `k=return func.HttpResponse(json.dumps(test))` but just didnt work. Sorry not so familiar with the request module – wwnde Nov 30 '20 at 06:25
  • 1
    @wwnde please wait. – Cindy Pau Nov 30 '20 at 06:27
  • @wwnde You want to return a string? – Cindy Pau Nov 30 '20 at 06:34
  • Yes, so that the string is input as password to a portal – wwnde Nov 30 '20 at 06:35
  • 1
    @wwnde Where are you going to do the processing? Is it OK to get the response body from the response? – Cindy Pau Nov 30 '20 at 06:39
  • I can get it from the response. It will be a short process within the the function itself – wwnde Nov 30 '20 at 06:42
  • @wwnde Since you can get it, what do you mean 'It will be a short process within the the function itself'? – Cindy Pau Nov 30 '20 at 06:46
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/225303/discussion-between-wwnde-and-bowman-zhu). – wwnde Nov 30 '20 at 06:46
  • The end game here is to parse the secret as a password to sign into a portal. The following works well if I am getting the secret from keyvault conventionally (if not integrated in a function); `test= secret_client.get_secret("TestSecret") \n gis = GIS("https://fghy.com", "yyyy", test)`. If integrated within the function as you have shown above, how do I extract `test` as a `string` to parse into the portal? – wwnde Nov 30 '20 at 07:35
  • got a minutes to spare – wwnde Dec 02 '20 at 04:14
  • do you have a minute? Happy to post question if needed – wwnde Dec 22 '20 at 07:05
  • @wwnde Yes, I have.:) – Cindy Pau Dec 22 '20 at 07:06
  • opened chat room are you willing to join – wwnde Dec 22 '20 at 07:16
  • @wwnde Hi, so what is your question?:) – Cindy Pau Dec 22 '20 at 07:16
  • I have a queue trigger that deposits message to another queue. It works except the message is not deposited to the out queue. I know the funtion works because it does what I need it to do. It writes onto GIS portals and I can see that. Do you have any bindings of queue trigger to queue? – wwnde Dec 22 '20 at 07:17
  • still there or left? – wwnde Dec 22 '20 at 07:20
  • @wwnde Try to know how to create a chat room. :) This is the room I created: https://chat.stackoverflow.com/rooms/226272/2020-12-22 – Cindy Pau Dec 22 '20 at 07:21