0

TLDR

Can I automatically retrieve values from App Configuration through the Function App Configuration variables section similar to AWS retrieving App Config/Secret values

I come from an AWS background and one thing I am used to doing is storing my sensitive information in App Config/Secrets Manager and then directly referencing the sensitive info in the lambda environment variables.

I've been looking for a way to replicate this in Azure and I've been struggling as everything I've found so far seems to want me to change my application code to get the data from App Configuration when all I want to do is update my terraform configuration.

The closest I thought I'd gotten was this documentation since it says

Use App Configuration references for App Service and Azure Functions (preview)

and the format looks like something you could store as a value in the function app's ENV var configuration section.. but when I attempted to do this, I got an error because of invalid characters. Now I'm thinking that the docs I referenced above are also just another way to change my application code to reference this new location.

I'm probably missing something obvious here so I was hoping someone could point me in the right direction because I do not want to have to change dotnet code to do something as simple as

- dotnet code references 'ENV_VAR'
- Function App configuration blade has key 'ENV_VAR' w/ a value of something like APP_CONFIG(KEY)
- Value automatically retrieved from App Configuration and used in code

What I would like to avoid

- dotnet code changed to reference App Configuration
- when app runs it bypasses function app configuration and gets directly from app config

The reason I would like to avoid this is

  1. There's no reason I should have to update application code when the end result that I need is to use an ENV variable and

  2. there are some ENV variables that are required by Azure for a function app to work and they contain things like the the storage API Key, which I'd prefer to keep in a centralized location that I can have more restrictive access policies for

EDIT

I received this error when it attempted to retrieve the value

The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.

and

The request authorization key is not authorized for DEV-MyACCT-TEST.EASTUS-1.EVENTGRID.AZURE.NET. This is due to the reason: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters

EDIT 2 I verified that it's not attempting to get the secret from app configuration at all. Here's screenshots of what the environment variable is in the function and how i have it stored in app configuration

Returned ENV variable in response of request:

{
    "message": "(Id: asdfasdfasdf) Env Var: @Microsoft.AppConfiguration(Endpoint=https://<my app config name>.azconfig.io; Key=EventGrid:Key:EVENTGRID_KEY)"
}

enter image description here

Jake Boomgaarden
  • 3,394
  • 1
  • 17
  • 31
  • You have the right documentation that would help you reference key-values from App Configuration without changing any code. Do your AppConfig keys/labels have any special characters that might be throwing the invalid character error? – Avani Gupta Oct 03 '22 at 18:43
  • I updated the issue w/ the error that I had gotten, the key itself is EventGrid:MyKey:EVENTGRID_KEY – Jake Boomgaarden Oct 03 '22 at 21:28
  • Based on the error I am recieving, I'm wondering if the issue isn't the value stored in app configuration, but actually the permissions set up on the function app. – Jake Boomgaarden Oct 03 '22 at 21:45
  • Just to confirm - you are storing Event Grid Access Key as the value of 'EventGrid:MyKey:EVENTGRID_KEY' key in AppConfig, correct? It looks like this error is coming from Event Grid, which means that the AppConfig reference was successfully resolved. However, when you try to use that value from AppConfig, you're hitting this issue. I found a similar issue being discussed here: https://learn.microsoft.com/en-us/answers/questions/52017/authentication-fails-to-event-grid-topic-even-thou.html Can you confirm if your access keys were correctly copied before saving them in AppConfig? – Avani Gupta Oct 03 '22 at 22:55
  • yeah, it has been correctly copied. Terraform is managing all of the key relationships so unless i manually click to rotate them they'll be in sync. I double checked though to be safe and was able to confirm that it is set correctly – Jake Boomgaarden Oct 04 '22 at 07:16
  • I was able to confirm that it's not doing anything w/ the environment variable and it's just returning @Microsoft.AppConfiguration(Endpoint=;Key=EventGrid:MyKey:EVENTGRID_KEY;)" – Jake Boomgaarden Oct 04 '22 at 08:00
  • I updated the question w/ my function app configuration line that's supposed to connect to app configuration as well as the response showing the ENV variable – Jake Boomgaarden Oct 04 '22 at 08:24
  • figured it out, going to write an answer, was just something i missed – Jake Boomgaarden Oct 04 '22 at 09:34

1 Answers1

0

The issue was that while my Function App did have a user assigned managed identity which gave it permission to read the App Configuration, and i did have the app configuration as the target, I did not fully understand how permissions work in Azure, specifically that Granting access to a resource w/ a specific Role and then assigning that UAMI to a Function App is not enough to actually give it permission. I needed to do one more step which was to update a parameter for the keyvault, because even though I'm not using key vault, that is the parameter which uses the managed identity.

Additionally, Terraform's documentation hasn't been updated yet to indicate that you'd put the ID used for app configuration in the key vault ID section.

The last thing which threw me off is that instead of giving an error letting me know I didn't have access to App Configuration when attempting to access it, it seems it just didn't even try. It turns out that reason for that was because I had an extra ; at the end of the string before the parenthesis and instead of throwing an error, it just treated it like a plain string and didn't attempt to connect to App Configuration

Jake Boomgaarden
  • 3,394
  • 1
  • 17
  • 31