I’m developing an Azure WebJob with Visual Studio 2019, with Microsoft.NETCore.App v5.0.0 framework. I need to read values from configuration, but I don’t understand where I should put them to finally overwrite them in the Azure WebJob’s page in the Azure portal. So far, I’ve created the following appsettings.json:
{
"ConnectionStrings": {
"AzureWebJobsStorage": "..."
},
"firstValue": "...",
"secondValue": "..."
}
The following public method
public static async Task Example(
[BlobTrigger("%firstValue%/{blobName}")] Stream blobReceived
[Blob("%secondValue%/{blobName}", FileAccess.Write)] Stream blobToWrite,
ILogger logger)
Correctly reads the values of firstValue and secondValue from appsettings.json. That said, I see other projects that use app.config files, whose values are then retrieved with something like:
ConfigurationManager.AppSettings["..."];
ConfigurationManager.ConnectionStrings["..."].ConnectionString;
Should I use app.config instead of appsettings.json? How do I read values I put in the appsettings.json file when we speak about Azure WebJobs?
You cannot access the app settings from Azure WebJobs directly, but you could consider using rest API to access the AppSettings in the Azure portal.
Actually, WebJobs are console app, which uses the environment variables stored in the system, which is different from the AppSettings in the Azure portal. AppSettings stored in IIS can only be invoked from this specific web app.
Related
Everything is working locally still using storage in Azure. The local settings file to load the IOptions are:
"StorageOptions": {
"ConnectionString": "...xxx..."
}
The static web app is hitting the API and getting a 500 error due to not being able to load the connection string settings from the application settings. Other API calls that do not use Azure storage are working as expected.
I am unable to save the static web app settings in the normal manner of StorageOptions:ConnectionString with the specified value.
Can API settings for Azure static web apps use the IOptions pattern? If yes, how should the application settings be added in Azure to load the IOptions properly?
The static web app is hitting the API and getting a 500 error due to not being able to load the connection string settings from the application settings.
Application settings for the static web app does not allow for ":" in the setting name. So, instead of using "StorageOptions:ConnectionString" it would be "StorageOptions__ConnectionString" for the hierarchical data binding.
Noted here in step 4 of "Configure app settings": https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal
If yes, how should the application settings be added in Azure to load the IOptions properly?
I found an issue in the SO 70461295 where user #HariKrishna and #GaryChan given that the Application Settings are available only for the Azure Static Web App associated backend APIs.
If using dependency injection for configuring the application settings through Azure Static Web Apps - Azure Functions Context, then Option pattern is available which is returned when the functionality is required.
Your given format of Application Settings:
"StorageOptions": {
"ConnectionString": "...xxx..."
}
Then, you have to configure inside the Startup.Configure method such as:
builder.Services.AddOptions<StorageOptions>()
.Configure<IConfiguration>((settings, configuration) =>
{
configuration.GetSection("StorageOptions").Bind(settings):
});
Updated Answer:
As #BretOoten mentioned that the hierarchical data binding in azure static web apps configuration is possible with double underscore (__), even in the azure functions the nested objects/configuration from local.settings.json file is called with the double underscore (__) as mentioned in this MS Doc.
For example:
"WebApp1": {
"Storage1": {
"ConnString": value
}
}
configuration will be like:
WebApp1__Storage1__ConnString
I created an Azure function using Visual Studio. Local.setting.json file had following properties:
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"FUNCTIONS_WORKER_RUNTIME": "dotnet",
"ServiceBusConnString": "Endpoint=sb://sb-new-two.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=9FygKPHH2eJVp3GmAiUxtT7sGnddsaddadNIrciM0=",
"Test": "sb-new-two.servicebus.windows.net"
}
}
This is how my function looks:
[FunctionName("Function1")]
public void Run([ServiceBusTrigger("topic-one", "sub-one", Connection = "ServiceBusConnString")] string mySbMsg)
{
_logger.LogInformation("Processing message");
_logger.LogInformation($"Message : {mySbMsg}");
Console.WriteLine(mySbMsg);
}
After deploying the azure function, I do not see the test property. I am not using it in my code. But wondering why is this property missing?
Check in your .gitignore file if it includes the local.settings.json. Better yet add the value of your Test config manually in the Configuration section of your Azure function. Go to your function app in Azure, under Settings > Configuration > New Application setting, then add your Test config.
One of the workarounds to publish the app settings from local.settings.json to the Azure Portal Function App Configuration is:
Before publishing the function project to the Azure Portal, below is the configuration of my Function App:
Azure Functions Core Tools cmdlet:
func azure functionapp publish KrishSbFunApp01 --publish-local-settings -i
Before running this cmdlet, you have to change the value of AzureWebJobsStorage to the Azure Storage account connection string.
Also, you can overwrite the app settings by using the parameter --overwrite-settings -y, available in MS Doc Source.
I have so far used the appsettings.{environment}.json files to keep application level configuration settings. Now I encounter this tab in Azure Portal for an App Service.
What is the difference between using the appsettings.json files and "Application Settings" Tab in the Azure Portal? And which one to use When?
difference between using the appsettings.json files and "Application Settings" Tab in the Azure Portal? And which one to use When?
If you are using more than one environment like Production, Staging and Development for your application. You need specific Environment appsettings i.e., appsettings.{environment}.json.
Or if you don't want to use any specific environment. In this case you are using only production (Default) Environment you can use appsettings.json file.
Few reasons to use Azure Application Settings -
1st - Let's assume that in order to avoid leaking configurations in appsettings.json, you aren't committing it to your repo. But you also deploy your web app on Azure AppServices. In this situation Application Settings tab can help you to configure your configurations directly and then Azure will auto create appsettings.json by reading those values.
2nd - This time we are committing appsettings.json and deployed web app on Azure. We also have a property as
{
"Users": {
"CanAccessApp": [ "abc#gmail.com", "test#gmail.com" ],
"CanAccessHangfire": [ "abc#gmail.com", "test#gmail.com" ],
"CanAccessLog": [ "abc#gmail.com", "test#gmail.com" ]
}
}
Now, I also want one more user to be able to access logs. How you will do it? Generally, update in your appsettings.json and redeploy.
Or you can create similar property in Application Settings by
Users:CanAccessLog:0 -> vic#gmail.com
Users:CanAccessLog:1 -> abc#gmail.com
Users:CanAccessLog:2 -> test#gmail.com
and so on where 0,1,2 are indexes of the array (Azure style). This one will help us to test quickly without redeploying or modifying appsettings.json.
I was wondering if it's possible to initialize the queue trigger or even the blob trigger off a connection string that is read from azure vault.
Right now, we have to set these data connection via environment settings via blade properties. However, I wanted to just use the service principal to retrieve the token for the azure key vault to get all these connection strings.
I'm trying to figure how to get this working in java.
Thanks,
Derek
This feature is tracked and in progress here:
Feature request: retrieve Azure Functions' secrets from Key Vault
Add binding to Key Vault
EDIT 28/11/2018: It is currently in preview
Simplifying security for serverless and web apps with Azure Functions and App Service
Former answer 07/10/2018
This solution won't work for Triggers using the consumption plan.
In the mean time I did some research about your problem and it is possible to read config from key vault if you use Azure Function v2.
I've created an Azure Functions v2 (.NET Standard) from Visual Studio.
It uses:
NETStandard.Library v2.0.3
Microsoft.NET.Sdk.Functions v1.0.22
Microsoft.Azure.WebJobs v3.0.0
Microsoft.Azure.WebJobs.Extensions.Storage v3.0.0
Because Azure Functions v2 uses ASP.NET core, I was able to reference this link to configure my functions app to use Azure Key Vault:
Azure Key Vault configuration provider in ASP.NET Core
I've added this nuget package:
Microsoft.Extensions.Configuration.AzureKeyVault
I've configured my app to use this nuget package:
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using System.Linq;
[assembly: WebJobsStartup(typeof(FunctionApp1.WebJobsExtensionStartup), "A Web Jobs Extension Sample")]
namespace FunctionApp1
{
public class WebJobsExtensionStartup : IWebJobsStartup
{
public void Configure(IWebJobsBuilder builder)
{
// Get the existing configuration
var serviceProvider = builder.Services.BuildServiceProvider();
var existingConfig = serviceProvider.GetRequiredService<IConfiguration>();
// Create a new config based on the existing one and add kv
var configuration = new ConfigurationBuilder()
.AddConfiguration(existingConfig)
.AddAzureKeyVault($"https://{existingConfig["keyVaultName"]}.vault.azure.net/")
.Build();
// replace the existing configuration
builder.Services
.Replace(ServiceDescriptor.Singleton(typeof(IConfiguration), configuration));
}
}
}
My Azure functions uses MSI:
I've granted Read/List secrets permissions to the function app on my key vault:
I have a small queue triggered function:
public static class Function2
{
[FunctionName("Function2")]
public static void Run([QueueTrigger("%queueName%", Connection = "queueConnectionString")]string myQueueItem, ILogger log)
{
log.LogInformation($"C# Queue trigger function processed: {myQueueItem}");
}
}
The queueName is defined in the local.settings.json file (App settings blade once deployed):
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "UseDevelopmentStorage=true",
"FUNCTIONS_WORKER_RUNTIME": "dotnet",
"keyVaultName": "thomastestkv",
"queueName": "myqueue"
}
}
The queueConnectionString is configured in my keyvault:
Sourcing Application Settings from Key Vault
The Key Vault references feature makes it so that your app can work as if it were using App Settings as they have been, meaning no code changes are required. You can get all of the details from our Key Vault reference documentation, but I’ll outline the basics here.
This feature requires a system-assigned managed identity for your app. Later in this post I’ll be talking about user-assigned identities, but we’re keeping these previews separate for now.
You’ll then need to configure an access policy on your Key Vault which gives your application the GET permission for secrets. Learn how to configure an access policy.
Lastly, set the value of any application setting to a reference of the following format:
#Microsoft.KeyVault(SecretUri=secret_uri_with_version)
Where secret_uri_with_version is the full URI for a secret in Key Vault. For example, this would be something like: https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931
That’s it! No changes to your code required!
For this initial preview, you need to explicitly set a secret version, as we don’t yet have built-in rotation handling. This is something we look forward to making available as soon as we can.
User-assigned managed identities (public preview)
Our existing support for managed identities is called system-assigned. The idea is that the identity is created by the platform for a specific application and is tied to the lifecycle of the application. If you delete the application, the identity is removed from Azure Active Directory immediately.
Today we’re previewing user-assigned identities, which are created as their own Azure resource and then assigned to a given application. A user-assigned identity can also be assigned to multiple applications, and an application can have multiple user-assigned identities.
more details check this
Update
This is now GA
This was just released as preview a couple days ago.
This feature requires a system-assigned managed identity for your app. Later in this post I’ll be talking about user-assigned identities, but we’re keeping these previews separate for now.
You’ll then need to configure an access policy on your Key Vault which gives your application the GET permission for secrets. Learn how to configure an access policy.
Lastly, set the value of any application setting to a reference of the following format:
#Microsoft.KeyVault(SecretUri=secret_uri_with_version)
Where secret_uri_with_version is the full URI for a secret in Key Vault. For example, this would be something like: https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931
Using Keyvault integration within the function runtime
I just implemented it in Java following below two references.
https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
https://medium.com/statuscode/getting-key-vault-secrets-in-azure-functions-37620fd20a0b
in java use System.getenv("SECRET_KEY") to read the values from your app settings.
Happy to help if you need further assistance.
I have already given my answer in above, this answer is for #Matt Sanders's comment,
i just want to explain how MSI working in the Azure Environment,
"I have 2 user assigned identities, 1 has permissions to KeyVault, the other does not. How can you specify the correct user assigned an identity to use for retrieving the secret? I'm guessing this is not possible and User Assigned Identities are not supported even though they are listed in your answer. – Matt Sanders"
when you want to use Azure Manage Identity Service, your application must register in the Azure AD, for an example, lets say multiple users accessing your web application and, within your web application, you 'r trying to access vVault's secrets, In that case, vault doesnt care about the users that consume your application, it cares about the application,
please reffer below image,
I as showing the picture, only Azure Function added as an Identity to the vault, other applications are not,
so whoever using Azure function can access vault's secrets, according to this example only A and B can access secrets,
I have an ASP.NET MVC app deployed to Microsoft Azure App Service and am having some trouble with the appSettings and connectionStrings values.
I have some values set in the web.config and some values overriding them in the Application Settings tab of the App Service. I want to quickly and easily view the final values to check that the settings are being picked up correctly.
How can I do this?
Note: I've tried using az webapp config appsettings list but this only seems to bring back what is configured in the Application Settings of the App Service and not the merged results of combining with web.config.
No Azure API will return values that include settings that come from your web.config file.
The only way to get this is to ask the config system within your own runtime. e.g. Use code along these lines:
foreach (string name in ConfigurationManager.AppSettings)
{
string val = ConfigurationManager.AppSettings[name];
...
}
foreach (ConnectionStringSettings settings in ConfigurationManager.ConnectionStrings)
{
string connStr = settings.ConnectionString;
string provider = settings.ProviderName;
...
}
This will give you the effective values that are applied to your app.
You may also use the following blades in Azure Portal (under Development Tools section):
Console
In order to see the file, you may use type command, e.g.:
type web.config
Advanced Tools
This points to the Kudu service.
You may see files deployed when navigating to Debug Console > Choose either CMD or PowerShell. Then navigate to your config directory (e.g. site/wwwroot) and choose to either download or edit file.
App Service Editor
App Service Editor is a relatively new tool in Azure toolset. Default view is a list of files, so you can browse all hosted files, including configuration ones.
You can view all of your runtime appSettings, connection strings and environment variables (and more..) using azure KUDU SCM. if your application address is "https://app_name.azurewebsites.net" you can access it in the address "https://app_name.scm.azurewebsites.net" or from azure portal
With kudo REST API, you can get the settings, delete or post them in this address https://app_name.scm.azurewebsites.net/api/settings
kudo wiki