{"id":616,"date":"2018-10-15T20:21:49","date_gmt":"2018-10-15T18:21:49","guid":{"rendered":"http:\/\/cwiok.pl\/?p=616"},"modified":"2018-10-15T20:29:50","modified_gmt":"2018-10-15T18:29:50","slug":"setting-up-azure-key-vault","status":"publish","type":"post","link":"https:\/\/cwiok.pl\/index.php\/en\/2018\/10\/15\/setting-up-azure-key-vault\/","title":{"rendered":"Setting up Azure Key Vault"},"content":{"rendered":"

Key Vault is an Azure module, which lets you safely store your secrets\/keys. This way your developers do not have to store credentials or connection strings in the code, but can simpy ask Key Vault to provide them. The application will be handed the password and will be able to log in without the developer even knowing it. Let us create a key vault!<\/p>\n

\"\"<\/a><\/p>\n

Creating Key Vault<\/h1>\n
\"image\"<\/a><\/div>\n

To create a Key Vault (just like you probably expect), simply search for it in Azure. When creating your Key Vault you may specify access policies for your account. For now, you can leave it with default values. You may experiment it with more, once you set up the service.<\/p>\n

Registering you app with Azure Active Directory<\/h1>\n

To enable access to the secrets by Function App, you have to register your app in Azure Active Directory. Only then will you app be able to authenticate with Key Vault.<\/p>\n

Open your Function App and navigate to Platform features:<\/p>\n

\"image\"<\/a><\/div>\n

Click on Managed service indentity and register with AAD:<\/p>\n

\"image\"<\/a><\/div>\n

 <\/p>\n

 <\/p>\n

Alternatively, you can use Powershell:<\/p>\n

Set-AzureRmWebApp -AssignIdentity $true -Name $appname \u2013ResourceGroupName $resourcegroupname<\/pre>\n
 <\/p>\n
Now that the app is registered with AAD, you can add it in access policies in your Key Vault. To do that, go to access policies:<\/p>\n
\"image\"<\/a><\/div>\n
Click add new, select principal (you app name), specify permissions and click OK:<\/p>\n
\"image\"<\/a><\/div>\n
Now, your app can access your secrets! Even if you have no permission to see the secrets, you still can use them in an app.<\/p>\n
<\/h1>\n
Creating a secret<\/h1>\n
\n
\"image\"<\/a><\/p>\n<\/div>\n
Go to Secrets in the main Settings pane. In there you can enter your passwords, which will be accessable only by specified people\/apps. Click on Generate\/Import and add a password:<\/p>\n
 <\/p>\n
\"image\"<\/a><\/div>\n
<\/div>\n
\"image\"<\/a><\/div>\n
<\/div>\n
 <\/p>\n
After creating a secret, copy its identifier. This URL can be specified as an environmental variable or pasted into the code like in the example below.<\/p>\n
\"image\"<\/a><\/div>\n
<\/h1>\n
Accessing secrets through Function App<\/h1>\n
Now, you are ready to create a function and access the secret with code.<\/p>\n
Go to Visual Studio and create a new function with HTTP Trigger.<\/p>\n
\"image\"<\/a><\/div>\n
<\/div>\n
\"image\"<\/a><\/div>\n
You have to include two namespaces:<\/p>\n
using Microsoft.Azure.Services.AppAuthentication;\r\nusing Microsoft.Azure.KeyVault;<\/pre>\n
 <\/p>\n
Next add three lines into the code:<\/p>\n
var azureServiceTokenProvider = new AzureServiceTokenProvider();\r\nvar kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));\r\nstring secret = kv.GetSecretAsync(\u201c<Secret URL you have copied>\u201d).Result.Value;<\/pre>\n
 <\/p>\n
Also change what the function returns to:<\/p>\n
return (ActionResult)new OkObjectResult($\"Your secret is: \" + secret);<\/pre>\n
 <\/p>\n
Whole code:<\/p>\n
using System;\r\nusing System.IO;\r\nusing System.Threading.Tasks;\r\nusing Microsoft.AspNetCore.Mvc;\r\nusing Microsoft.Azure.WebJobs;\r\nusing Microsoft.Azure.WebJobs.Extensions.Http;\r\nusing Microsoft.AspNetCore.Http;\r\nusing Microsoft.Azure.WebJobs.Host;\r\nusing Microsoft.Extensions.Logging;\r\nusing Newtonsoft.Json;\r\nusing Microsoft.Azure.Services.AppAuthentication;\r\nusing Microsoft.Azure.KeyVault;\r\n\r\n\r\nnamespace MySecretApp\r\n{\r\n    public static class Function1\r\n    {\r\n        [FunctionName(\"Function1\")]\r\n        public static async Task<IActionResult> Run([HttpTrigger(AuthorizationLevel.Function, \"get\", \"post\", Route = null)]HttpRequest req, ILogger log)\r\n        {\r\n            log.LogInformation(\"C# HTTP trigger function processed a request.\");\r\n\r\n            var azureServiceTokenProvider = new AzureServiceTokenProvider();\r\n            var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));\r\n            string secret = kv.GetSecretAsync(\u201c<Secret URL you have copied>\u201d).Result.Value;\r\n\r\n            return (ActionResult)new OkObjectResult($\"Your secret is: \" + secret);\r\n                \r\n        }\r\n    }\r\n}\r\n<\/pre>\n
 <\/p>\n
After you publish the function, you can run the function from within Azure portal to get your secret:<\/p>\n
\n
\"image\"<\/a><\/p>\n<\/div>\n
Hope this helps.<\/p>\n
Micha\u0142<\/p>\n","protected":false},"excerpt":{"rendered":"
Key Vault is an Azure module, which lets you safely store your secrets\/keys. This way your developers do not have to store credentials or connection strings in the code, but can simpy ask Key Vault to provide them. The application will be handed the password and will be able to log in without the developer even knowing it. Let us create a key vault!<\/p>\n
\"\"<\/a><\/p>\n
Read More<\/a><\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28],"tags":[],"class_list":["post-616","post","type-post","status-publish","format-standard","hentry","category-azure"],"_links":{"self":[{"href":"https:\/\/cwiok.pl\/index.php\/wp-json\/wp\/v2\/posts\/616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cwiok.pl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cwiok.pl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cwiok.pl\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cwiok.pl\/index.php\/wp-json\/wp\/v2\/comments?post=616"}],"version-history":[{"count":0,"href":"https:\/\/cwiok.pl\/index.php\/wp-json\/wp\/v2\/posts\/616\/revisions"}],"wp:attachment":[{"href":"https:\/\/cwiok.pl\/index.php\/wp-json\/wp\/v2\/media?parent=616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cwiok.pl\/index.php\/wp-json\/wp\/v2\/categories?post=616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cwiok.pl\/index.php\/wp-json\/wp\/v2\/tags?post=616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}