Managing API Keys for Serverless Functions with Azure KeyVault

With my team's ever growing list of interconnected services, serverless functions, external APIs, databases, et.al., we need a way to securely manage and protect all the sensitive information contained therein.

This is not an uncommon use case, and in-fact several high profile breaches over the last few years involved the storage of secure info like API keys in source control. We'll be using Azure KeyVault to manage our sensitive keys, and today we'll look at how to connect an Azure Function to an Azure Key Vault.

Before we get started, this is going to be a zero code demonstration. Our development environment doesn't need access to the KeyVault for you to trigger the function, even with AuthorizationLevel.Function set. We will do the setup purely in Azure, and show you how to setup role based access. I'm going to assume you are familiar with Azure and know how to setup new services.

The Microsoft documentation on this authorization scenario points at legacy access control in Azure, so hopefully this post saves you some head scratching. 

 

Create Azure Services

So to get started, you're going to need to create an Azure Function and an Azure KeyVault. When you create your KeyVault, make sure the default "Azure role-based access control" option is selected. For the Azure Function, I used .NET 7 Isolated. All the other settings are up to you and your use-case requirements.

Create a Managed Identity for the Azure Function

First we need to enable Managed Identity in the Azure Function. This part is dead simple. All we need to do is find the menu option and turn it on.

Grant Access to the KeyVault to your Managed Identity

This is the part where the documentation differs from the feature's currently available in Azure. The legacy access control is gone, and you'll need to use role based access control.

Once you've made it here, you'll need to assign access.

 

From here, you need to add the 'Key Vault Secrets Officer' role to your managed identity. Your Azure Function will need read/write access to the vault, because it will automatically populate its API keys to the vault.

Click the role, click next, and you'll see the option to select your Managed Identity.


 When you press Select Members, you'll get the option to select your subscription and the Managed Identity you created.

 Once you're done, click next and it'll take you to the 'Review and Assign' screen.

Configure the Azure Function to use KeyVault for API Keys

Now that permissions are properly configured, all you need to do is point the Azure Function at the Key Vault. To do this, we just need to set some environment variables in the function configuration blade.


Configuration Complete

Once that's done, your function app will populate the keyvault with its master-keys. You can see below that the function API keys are stored in the vault, automatically. You functionKey--default will be the key for your AuthorizationLevel.Function authorization.

Comments

Post a Comment

Popular posts from this blog

Creating HID Override Layouts for the Unity Input System

Image
     Unity's new(ish) Input System is a quantum leap from their old Input Manager system. You can re-bind controls, axes, and buttons from various devices with relative ease. You can broadcast events from devices and handle those events inside your unity C# scripts very easily. It is, in my estimation, a good system. It's young code, and it comes with its own set of quirks as a consequence, but the documentation is complete, if a little obfuscated by overly complex examples.  Yesterday I was able to get the Input System up and running with my HOTAS. Dapper Dino did an excellent video tutorial on YouTube. If you haven't gotten up and running with Input System yet, I strongly suggest you start here: So I was pretty pleased with myself, after porting most of the input in my project to the new system. However when I went to add yaw controls to my spaceship, there was a problem; Unity didn't detect my rudder pedals. Alright then, time to dig into the Input System document...
Read more

Building Ben Eater's 8-bit CPU Clock (part 1)

Image
Okay so, I know I said I'd cover continuous integration in Azure this week, but I've been putting off this 8-bit CPU project for too long, and today is the day. If you don't know, Ben Eater runs a fantastic YouTube channel on digital electronics. For me, spending most of my career doing high-level software engineering, this channel served as both an excellent intro into digital electronics, but also to demystify the topic entirely. Getting Started So, Ben Eater sells kits for his 8-bit CPU on his really well structured website. I'm a sucker for good documentation, and Ben Eater has aced it here. You can find his website here: https://eater.net/8bit Now, you don't need to actually buy the kit from Ben, you can see the parts list that he has kindly included for you. I'm not that ambitious, I'd rather save the time and effort and just get the kit. But if you're short on cash, you can pick up these parts on the cheap. Tools There's a number of tools you...
Read more