How to store function app’s function keys in a key vault

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

 

When running Azure function apps, we need function keys to access the functions. By default, the function keys of a function app are stored in a storage account, which is specified in the appsetting ‘AzureWebjobsStorage’.  You can view the keys in portal as shown below.

zhuyue_0-1628755144731.png

Fig 1. Host keys of function apps in portal

 

zhuyue_1-1628755144743.png

Fig 2. Function keys of a function in portal

 

If you go to the storage account specified in appsetting ‘AzureWebjobsStorage’, you can find the function keys in container ‘azure-webjobs-secrets’. You can see the below container where keys are stored.

 

zhuyue_2-1628755144754.png

Fig 3. The container where function keys are stored in the storage account

 

In the container, you can see the file ‘/{functionAppName}/host.json’, where function keys are stored.

zhuyue_3-1628755144768.png

Fig 4. The host.json file where function keys are written

 

Instead of a storage account, we can also choose a key vault to store function keys.  Below are the detailed steps.

 

Solution:

1. At first, add below two appsettings to the function app.

Appsetting Name

Value

AzureWebJobsSecretStorageType

keyvault

AzureWebJobsSecretStorageKeyVaultName

<key vault's name>

 

2. Enable managed identity in ‘Identity’ blade of the function app in portal.

zhuyue_4-1628755144778.png

Fig 5. Enable managed identity of a function app.

 

3. Go to ‘Access Policies’ blade of the key vault in portal, add an access policy for the function app using the app’s managed identity. You need to give the function app at least the secret management permissions.

zhuyue_5-1628755144794.png

Fig 6. The access policies blade of the key vault.

 

zhuyue_6-1628755144801.png

Fig 7. Select your function app in ‘Select principal’, and give it the certificate management permissions.

 

4. You had better restart the function app to let the settings make sense immediately.  

 

5. Now when you add or delete host keys or function keys in portal, you will see the function keys in ‘secrets’ of the key vault.

zhuyue_7-1628755144809.png

Fig 8. Host/function keys stored in key vault.

 

Hope this article will be useful to you! Thanks for reading!

 

 

 

 

 

 

REMEMBER: these articles are REPUBLISHED. Your best bet to get a reply is to follow the link at the top of the post to the ORIGINAL post! BUT you're more than welcome to start discussions here:

This site uses Akismet to reduce spam. Learn how your comment data is processed.