What is the appropriate way to use managed identity with Azure Functions and Storage accounts if the the AzureWebJobsStorage app setting is required by the function host? Is there a managed identity version of the storage account connection string that doesn't include the access key?
While you can't use Managed Identity to authenticate to the storage account directly, you can store the access key in Key Vault and fetch it from there using Key Vault References using Managed Identity.
Just wanted to share this because I believe its great to use KeyVault References instead of directly using access keys in the app settings.
Related
I have created a User-Assigned Managed Identity that I have assigned to a Function App. I want to replace the Access Key connection string with the User-Assigned Managed Identity for the Function App to connects to its own stage, i.e., the hosting storage for the Function App. I have given the Storage Account Contributor, Storage Blob Data Owner, Storage Queue Data Contributor and Storage Table Data Contributor roles to the User-Assigned Managed Identity. What needs to be done to replace to storage account Access Key connection string with User-Assigned Managed Identity? I have tried to renaming the configuration AzureWebJobsStorage to AzureWebJobsStorage__accountName and replacing the Access Key connection string with the storge account name, as described in this tutorial: https://learn.microsoft.com/en-us/azure/azure-functions/functions-identity-based-connections-tutorial, however this does not seem to work. I’m unable to reach the function app and get the following error in the logs: "statusCode":400,"message":"Unable to load requested managed identity.
I am using Azure Web App service. Currently, I am storing the plain connection string to the database, Azure storage in the Application Settings section in the configuration tab of the Web App Service.
Instead of storing the plain connection string in configuration. How can I store the connection string in Azure Vault, then reference it in the Application setting so that the plain connection string are not stored in the configuration settings?
There are two ways to reference Key Vault in Azure Web Apps. You can do a complete reference:
#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)
Or you can use the alterative:
#Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)
In order to read secrets from Key Vault, you need to have a vault created and give your app permission to access it.
Create a key vault by following the Key Vault quickstart.
Create a managed identity for your application.
Key Vault references will use the app's system assigned identity by default, but you can specify a user-assigned identity.
Create an access policy in Key Vault for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or applicationId settings, as this is not compatible with a managed identity.
Full steps on setting this up:
https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references
I am looking to deploy Azure function by using Terraform, in the same way which is mentioned here in the Ms docs.
https://learn.microsoft.com/en-us/azure/azure-functions/deployment-zip-push
One of my need to store and Storage SAS key to Key Vault. I have seen some exmaple where we can below setting is used, but I can't use sas key without storing to Key Vault.
WEBSITE_RUN_FROM_ZIP = "https://${azurerm_storage_account.this.name}.blob.core.windows.net/${azurerm_storage_container.this.name}/${azurerm_storage_blob.this.name}${data.azurerm_storage_account_sas.this.sas}"
Any suggestion?
Thank you !
For this requirement, you can use the Key Vault reference to get the secrets to the Azure Function like this:
#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
Or
#Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=ec96f02080254f109c51a1f14cdb1931)
But this means only support system-assigned managed identities. So you need to enable the system-assigned managed identity and assign the right role of the Key Vault to it. Here is more details.
I am trying to fetch secret values from azure key vault in Azure App Service.
My App Service has a managed identity
In the Azure Key vault, this managed identity is added under 'Role assignments' as 'Key vault contributor'
Also access policies has been added in azure key vault to give 'Get' permission to the AppServices's managed identity
Now in my c# code, I am trying to get the value of the AppSetting element using the code
ConfigurationManager.AppSettings['something'];
In my azure app service, under app settings, I have added the a key with name 'something' and it has the value pointing to the reference of the Key Vault as below:
#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
Now I am able to retrieve the value from the appsettings, but instead of the actual value, it is pulling the output as #Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/c96f02080254f109c51a1f1cdb1931)
I am expecting the output to be value that I have set, not the keyvault reference string itself.
I am using .Net MVC 4.7 web app
As junnas said, you just add webapp's MSI in key vault Access policy.
1.Turn on webapp System-assign managed identity.
2.Add the identity into keyvault Access policy with secret Get permission.
3.Add the reference of the Key Vault into webapp Application settings.
4.Use Environment.GetEnvironmentVariable("AppsettingName"); to get the secret vaule.
Here is the output:
Actually i figured out that even using ConfiguraionManager.AppSettings["keyname"] also works fine. In my case, i had done everything as listed above , but had enabled "Slot Deployment" option in Connection string configuration in App Service. Once i enabled, now i am able to access my key vault secrets.
Is it possible to create a Key Vault in Azure via c#? I'm able to manipulate secrets and keys via the KeyVaultClient but I need to
A). See if a key vault already exists and
B). Create a key vault if it doesn't exist.
Yes, you can use the KeyVault management client to list where a key vault exists in an Azure subscription and create the KeyVault if necessary. There is C# SDK for these operations which are against Azure Resource Manager.
https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.management.keyvault.vaultsoperationsextensions?view=azure-dotnet