To keep your secure information like connection string, password, etc. in a more secure way, we have Azure Key Vault.
Azure Key Vault is a secure way of storing keys, certificates, and secrets so that the application can access it when needed.
Microsoft Azure Key Vault is a cloud-hosted management service that allows users to encrypt keys and small secrets by using keys that are protected by hardware security modules (HSMs).
Azure Key Vault helps solve the following problems
Secrets Management
Azure Key Vault can be used to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
Key Management
Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
Certificate Management
Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
Store secrets backed by Hardware Security Modules
The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validates HSMs
Below are the steps in my article,
Step 1 - Create an Azure Key vault with the secret key
Search Key Vaults -> Select Key Vaults
Select Key Vaults and click on + Add (To Create New Key Vaults)
Now click on Access Policy
Fill in all required values and leave the rest as default.
Click on Create.
Azure Key Vault has been created.
Now add a secret here. So from the left side menu click on Secret.
A new Secret has been added. Now click on this newly-created secret.
Click on the current version
Here you can find out your Secret Identifier URI.
https://keyvaultdevdemotest.vault.azure.net/secrets/DBConnectionString/a520325d428240888836fabcc8669609
Key Vault with a Secret has been created. Now Deploy your Azure Function, which will use your secret.
In Azure Portal, Navigate to Azure Function App:
In networking click on Identity:
Here make sure, Under (System assigned) Identity – Status is On.
Azure Function
"A system assigned managed identity enables Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in code. Once enabled, all necessary permissions can be granted via Azure role-based-access-control. The lifecycle of this type of managed identity is tied to the lifecycle of this resource. Additionally, each resource (e.g. Virtual Machine) can only have one system assigned managed identity."
Save and close it.
Now Time to Grant Access Function App to Key Vault
Open your Key Vault again -> Click on Access Policies from Left Side Menu:
Add – An Azure Function Application setting
From Azure Key Vault copy Secret Identifier key,
https://keyvaultdevdemotest.vault.azure.net/secrets/DBConnectionString/a520325d428240888836fabcc8669609
Now open Azure Function Configuration pane:
Click Ok to Save
Application Setting has been added.
Now so code to use this application-setting key in your Function App Code in Visual Studio Code:
Now Publish your Code:
Now Check in Azure Portal:
Now hit URL in a Browser