Azure Key Vault is a cloud service for securely storing and accessing secrets used by your cloud applications. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.
About Secrets
All secrets in your Key Vault are stored encrypted. Key Vault APIs accept and return secret values as strings from a developer’s perspective. Internally, Key Vault stores and manages secrets as sequences of octets (8-bit bytes), with a maximum size of 25k each. The Key Vault service doesn’t provide semantics for secrets. It merely accepts the data, encrypts it, stores it, and returns a secret identifier (“id”). The identifier can be used to retrieve the secret at a later time.
For sensitive data, clients should consider additional layers of protection for data. One example is encrypting data using a separate protection key before storage in Key Vault.
Why the need to retrieve Azure Key Vault Secrets using Azure Functions?
There may be several examples or reasons we want to access the Key Vault and retrieve Secrets using an Azure Function. And the goal of this blog post is not to address all of these reasons. In my case, I’m migrating a Logic App Consumption to Standard, and I found a lack of API connection parity between these two offers. If you are using Logic App Consumption, you will have at your disposal the Azure Key Vault connector where you can:
- Decrypt or Encrypt data using the latest version of a key
- Decrypt or Encrypt data using a specific version of a key
- Gets metadata of a key
- Gets metadata of a version of a key
- Gets a secret
- Gets metadata of a secret
- Gets a version of a secret
- Gets metadata of a version of a secret
- List versions of a key
- List keys
- List secrets
However, this connector is unavailable as a built-in connector in Logic App Standard. You can always use the managed connector, the Azure Key Vault connector. However, if you are trying to access a Key Vault in a Landing Zone protected by VNET, you will not be able to use the managed connector. The alternatives are:
- Use the HTTP Connector using the REST API to access the Key Vault
- Create an API App to access and retrieve Key Vault Secrets
- Create an Azure Function to access and retrieve Key Vault Secrets
In some cases, we can probably use an operation inside API Management to retrieve Key Vault Secrets.
How to retrieve Azure Key Vault Secrets using Azure Functions?
In this sample, we would create an Azure Function that receives a JSON payload with the Key Vault URL and the Secret name to be a generic Azure Function that we could reuse in all our Logic App Standard if they use the same Key Vault resource or different ones. The payload will be something like this:
{
"KeyVaultUrl":"https://<vault-name>.vault.azure.net/",
"SecretName":"<secret-name>"
}
You can continuously develop your Azure Function using the Azure Portal or Visual Studio Code. Nevertheless, we will use Visual Studio 2022, and a C# HTTP triggered .NET 6.0 function in this sample.
To be able to compile, you need to use the following NuGet packages:
- Azure.Identity (1.6.0)
- Azure.Security.KeyVault.Secrets (4.3.0)
And below is a sample of the code needed for the Azure Function to retrieve secrets from Azure Key Vault:
[FunctionName("GetKeyVaultSecret")]
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("C# HTTP trigger function processed a request.");
string requestBody = new StreamReader(req.Body).ReadToEnd();
SecretRequest data = JsonConvert.DeserializeObject<SecretRequest>(requestBody);
// Create a new secret client using the default credential from Azure.Identity using environment variables previously set,
// including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID.
var client = new SecretClient(vaultUri: new Uri(data.KeyVaultUrl), credential: new DefaultAzureCredential());
// Retrieve a secret using the secret client.
KeyVaultSecret secret = client.GetSecret(data.SecretName);
var secretResponse = new SecretResponse { Secret = data.SecretName, Value = secret.Value };
return new OkObjectResult(JsonConvert.SerializeObject(secretResponse));
}
The response of this Azure Function will be something like this:
{
"Secret": "<secret-name>",
"Value": "<secret-value>"
}
You can now use this Azure Function that you need to publish into a Function App resource in your Landing Zone protected by VNET to access all your private Key Vaults. You can even use this Azure Function inside your Logic App Standard workflows.
You can download the complete code from GitHub here:
Enjoy it!
