Parameterising Azure Functions and Handling Secrets

Now that we have covered getting basic Python functions to work in Azure Functions, lets see about making them more useful. Two things it would be useful to do are to parameterise the function, and also have it be able to use secrets securely to access other services.

Parameterisation

When running an Azure function locally, the parameters for your function are stored in local.settings.json in the root folder of your function app. An important thing to be aware of here is that despite being a JSON file, Azure functions do not handle nested JSON gracefully. Therefore ensure that inside the “Values” dictionary that is created when you initially create an Azure function, you only use key value pairs. At the time of writing key-value pairs where both are strings appear to be the safest method. Then cast to the required type after import.

Parameters can then be retrieved with os.environ.get(‘parameter_name’)

Handling KeyVault Secrets

Handling secrets securely is a little more complicated. secrets when running azure functions locally. When testing in local mode you can place the secret direct into local.settings.json. Do be very sure it is in gitignore if you are using version control.

Once we upload the function to Azure though, we are going to want to use secrets from Azure KeyVault. To include keys from the KeyVault you need to link them. More detail can be found here

First you need to open your function and select Identity go to the System Assigned tab and change status to On. This will return an object ID which can be used for RBAC.

Next Navigate to the KeyVault and select Access Policies from the left hand Navigation. You will get a screen like this:

Click on None Selected next to Select Principal and paste the objectID into the right hand box and use that to select your function. Then add read permission for the keys or secrets you need to read. Note that you DO NOT need to authorise an application. Now under Key, Secret and Certificate permissions select the permissions you need. This is generally just GET and LIST for the types of keys you are going to use. After you Click Add on the add Access Policy screen, be sure to click Save at the top of the overall Access Policies screen to commit your change

Now you can go to your secret, click on it, select the current version, and copy the secret identifier to your clipboard:

Return to your function’s parameters and add the url as an application setting, encapsulated in the following

<p style="font-weight: 400;">@Microsoft.KeyVault(SecretUri=<YOUR_SECRET_IDENTIFIER_HERE>)</p>

You should finish with something like the picture below:

Don’t forget to Save your edits (save button is near top of page. Then ensure you see green ticks next to the key vault references as in the picture above. Red crosses mean you have not given permissions correctly.

Further Reading

More information about working with Azure secrets can be found here https://marcroussy.com/2018/12/10/keeping-secrets-with-azure-functions/ . One of my colleagues has also written a post about CI/CD for Azure Functions which you may find helpful https://medium.com/queryclick-tech-blog/azure-functions-environment-separation-with-linux-apps-queryclick-438ec7cfa146

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.