Where should link between Azure Function and Azure Keyvault be configured?

huangapple go评论70阅读模式
英文:

Where should link between Azure Function and Azure Keyvault be configured?

问题

I'm developing an Azure Function running Python for the first time to some of you, so please bear with me. So this question might be trivial. I'm deploying my function using a standard build and deploy pipeline in Azure DevOps. For now only to test. The function uses some information that is sensitive like API keys, passwords, etc. Those secrets are stored in an Azure KeyVault. As of now I can deploy it successfully.

I've created a service principal for my Azure Function, and both the Keyvault and the Function are in the same resource group.

In my script, I'm calling the secrets using the os.environ method i.e.:

api_key = os.environ['api_key']

It works well when I'm developing using the local_settings.json file in Visual Studio Code.

My question is now; should I configure the environment variables in the Azure Function or in Azure DevOps i.e. should I link to the secrets in the KeyVault from the Azure Function or in Azure DevOps? If I'm setting up the link to the secrets in Azure Function, do I still need to use @Microsoft.KeyVault(SecretUri=) when setting it up in Azure Function?

英文:

I developing an Azure Function running Python for the first time to some of you, so please bear with me. So this question might be trivial. I'm deploying my function using a standard build and deploy pipeline in Azure Devops. For now only to test. The function uses some information that is sensitive like API keys, passwords, etc. Those secrets are stored in an Azure KeyVault. As of now I can deploy it successfully.

I've created a service principal for my Azure Function, and both the Keyvault and the Function are in the same ressourcegroup.

In my script I'm calling the secrets using the os.environ method i.e.:

api_key = os.environ['api_key']

It works well when I'm developing using the local_settings.json file in Visual Studio Code.

My question is now; should I configure the enviroment variables in the Azure Function or in Azure DevOps i.e. should I link to the secrets in the keyvault from the Azure Function or in Azure Devops?
If I'm setting up the link to the secrets in Azure Function, do I still need to use @Microsoft.KeyVault(SecretUri=<secret-url>) when setting it up in Azure Function?

答案1

得分: 0

> 应该将密钥库中的密钥链接到 Azure 函数还是 Azure DevOps 中?

在 Azure 函数中。否则,密钥将暴露在函数应用的 AppSettings 中。

> 如果我在 Azure 函数中设置密钥的链接,是否仍然需要在 Azure 函数中设置时使用 @Microsoft.KeyVault(SecretUri=)?

是的。请查看文档以获取有关 KeyVault 引用的详细信息。

英文:

> should I link to the secrets in the keyvault from the Azure Function or in Azure Devops

In the Azure Function. Otherwise, the secrets are exposed in the AppSettings of the Function app.

> If I'm setting up the link to the secrets in Azure Function, do I still need to use @Microsoft.KeyVault(SecretUri=) when setting it up in Azure Function

Yes. See the docs for the KeyVault references.

答案2

得分: 0

你应该在你的Azure DevOps发布流水线中创建变量,用于存储keyvaulturl、clientId和clientsecret。一旦你使用Azure Functions任务从发布流水线部署Azure函数,你还需要在该任务中设置Azure函数应用的配置。或者可以使用Azure应用服务设置任务。现在,在你的Azure函数代码中,在启动时,你需要使用环境变量(keyvaulturl、clientid、client secret)创建与KeyVault的连接,并获取所有的应用程序秘密,然后将其再次设置为环境变量,以供以后使用。这样,你就不需要在你的appsettings文件或代码仓库中设置任何内容。希望这有所帮助。

英文:

You should create variable for keyvaulturl, clientId, and clientsecret in your azure devops release pipeline. Once you deploy the azure function from release pipeline using azure functions task you also need to set the configuration for your azure function app in that particular task.
Or using Azure app service setting task.
Now in your azure function code in the startup you need to create the connection for keyvault using env variable (keyvaulturl, clientid, client secret) and fetch all your application secrets and set it as env variable again for further use.

So you don't need to set anything in your appsettings file or in code repository.
Hope this helps

huangapple
  • 本文由 发表于 2023年4月17日 16:46:16
  • 转载请务必保留本文链接:https://go.coder-hub.com/76033264.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定