Is it possible that we can access all the secrets of an Azure Key Vault in AzureFunctionApp using Csharp.
Asked
Active
Viewed 5,690 times
0
-
Please read [ask] and more explain what you need, and what you tried – Elikill58 Nov 29 '21 at 13:59
-
Secrets are keyvalue pairs. You can't just read all the secrets. – Liam Nov 29 '21 at 14:02
-
How to access each [secret is pretty well documented](https://learn.microsoft.com/en-us/dotnet/api/overview/azure/security.keyvault.keys-readme) – Liam Nov 29 '21 at 14:02
-
have you checked this https://stackoverflow.com/questions/58384094/access-azure-key-vault-secret-in-azure-function – SwethaKandikonda Nov 30 '21 at 07:56
1 Answers
3
I tried to reproduce the issue:
Created a Function App in Azure Portal and an HTTP Trigger Function inside the Function through the portal itself.
Created a KeyVault resource and Secret through the Azure Portal. Copy your KeyVault SecretIdentifier in any text editor.
- In the same text editor, copy this setting:
@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/) - Replace the SecretUri with your copied KeyVault Secret Identifier value from the KeyVault resource.
- In the same text editor, copy this setting:
In the Function App - Configuration (Settings in left index pane), Add secret identifier setting in Application Settings like below:
Go to Your Function App > Identity (under the Settings Pane) > Switch System Assigned Managed Identity Status to On and Save.
Go to Your KeyVault Resource > Access Policies (under the Settings Pane) > Add New Access Policy:
Configure from template: Key & Secret Management
Key Permissions: Select/Deselect (Optional)
Secret Permissions: Select the permissions required like Get...
Certificate Permissions: Select/Deselect (Optional)
Select Principal: Authorize your function app to access this key vault
- Go to your Function App > Functions (Select your Function) > Click on Code + Test Option > Add this two lines in the
run.csxfile.
var secretValue = Environment.GetEnvironmentVariable("kvsecret",EnvironmentVariableTarget.Process);
log.LogInformation($"SecretValue from kvsecret in krishkeyvault02 : {secretValue}");
Here kvsecret is your key vault secret name. Click on Save and Test/Run where I provided the body name parameter as Krishna.
Test Output:
Run.csx code:
#r "Newtonsoft.Json"
using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;
public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
var secretValue = Environment.GetEnvironmentVariable("kvsecret", EnvironmentVariableTarget.Process);
log.LogInformation($"SecretValue from kvsecret in krishkeyvault02 : {secretValue}");
string name = req.Query["name"];
string requestBody = await new StreamReader(req.Body).ReadToEndAsync();
dynamic data = JsonConvert.DeserializeObject(requestBody);
name = name ?? data?.name;
string responseMessage = string.IsNullOrEmpty(name)
? "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response."
: $"Hello, {name}. This HTTP triggered function executed successfully.";
return new OkObjectResult(responseMessage);
}
Note:
Looking at the documentation, the
KeyVaultClientClass doesn't contain a method to get all secrets including their values. TheGetSecretsmethod 'List secrets in a specified key vault.' and returns a list with items of typeSecretItem, which doesn't contain the value but only contains secret metadata.
This is in line with the Key Vault REST API, where there's a GetSecrets that returns... a list of SecretItems.
I guess, if you want all values of all secrets, you have to iterate the list and get everyone explicitly.
There are few code snippets available to retrieve secret values provided by other communities, please refer this SO Thread