This post shows how to configure Azure Function projects so that no secrets are required in the local.settings.json or in the code. Secrets for the project are saved in the user secrets of the project, or in the app settings of the deployment. The deployment should/can use Azure Key Vault for the secrets and not the app.settings of the deployment (or key vault). The aim is to remove the secrets from the code and the local.settings.json file. I see this committed in many solutions with secrets.
Code: https://github.com/damienbod/AzureDurableFunctions
History
2021-03-07 Update packages and using DefaultAzureCredential for Azure Key vault access
2020-10-23 Updated Azure Functions Configuration
Posts in this series
- Using External Inputs in Azure Durable functions
- Azure Functions Configuration and Secrets Management
- Using Key Vault and Managed Identities with Azure Functions
- Waiting for Azure Durable Functions to complete
- Azure Durable Functions Monitoring and Diagnostics
- Retry Error Handling for Activities and Orchestrations in Azure Durable Functions
The local.settings.json file can be used to add app settings for local development in your Azure Function project. In this file, are standard configuration values which are not secrets and this file can be committed to the git repository. In this demo, we added a MyConfiguration class with two values. Note that the configuration is not added inside the Values object. I prefer this.
local.settings.json
{ "IsEncrypted": false, "Values": { "AzureWebJobsStorage": "UseDevelopmentStorage=true", "AzureWebJobsSecretStorageType": "Files", "FUNCTIONS_WORKER_RUNTIME": "dotnet", "ASPNETCORE_ENVIRONMENT": "Development", //"AZURE_TENANT_ID": "your tenant", // To use the key vault in local debug, the Firewall needs to allow this //"AzureKeyVaultEndpoint": "your azure ad tenant" "AzureKeyVaultEndpoint": "" }, "MyConfiguration": { "Name": "Lilly", "AmountOfRetries": 7 } }
The Azure functions project requires the Microsoft.Extensions.Configuration.UserSecrets nuget package to support user secrets for local development.
<Project Sdk="Microsoft.NET.Sdk"> <PropertyGroup> <TargetFramework>netcoreapp3.1</TargetFramework> <AzureFunctionsVersion>v3</AzureFunctionsVersion> <UserSecretsId>222f37ac-e563-4ba8-8e33-ee799c456135</UserSecretsId> </PropertyGroup> <ItemGroup> <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.DurableTask" Version="2.4.1" /> <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="3.0.11" /> <PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" /> <PackageReference Include="System.Configuration.ConfigurationManager" Version="5.0.0" /> <PackageReference Include="Microsoft.Extensions.Configuration" Version="3.1.12" /> <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="3.1.12" /> <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="3.1.12" /> <PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.0.2" /> <PackageReference Include="Azure.Identity" Version="1.3.0" /> <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.1.0" /> <PackageReference Include="Microsoft.Azure.Services.AppAuthentication" Version="1.6.1" /> </ItemGroup> <ItemGroup> <None Update="host.json"> <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory> </None> <None Update="local.settings.json"> <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory> <CopyToPublishDirectory>Never</CopyToPublishDirectory> </None> </ItemGroup> </Project>
In the secrets json file which is in your profile and not the source code, you can add the super secrets.
{ "MyConfigurationSecrets": { "MySecretOne": "secret one", "MySecretTwo": "secret two" } }
The Azure Functions project uses DI and so has a Startup class which inherits from the FunctionsStartup class. The configuration is setup using the ConfigurationBuilder and uses the optional Json files and the optional user secrets. It is important that these are optional. The configuration classes are added using the IOption interface.
using Microsoft.Azure.Functions.Extensions.DependencyInjection; using Microsoft.Azure.KeyVault; using Microsoft.Azure.Services.AppAuthentication; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using MyAzureFunctions; using MyAzureFunctions.Activities; using System; using System.Reflection; [assembly: FunctionsStartup(typeof(Startup))] namespace MyAzureFunctions { public class Startup : FunctionsStartup { public override void Configure(IFunctionsHostBuilder builder) { builder.Services.AddScoped<MyActivities>(); builder.Services.AddOptions<MyConfiguration>() .Configure<IConfiguration>((settings, configuration) => { configuration.GetSection("MyConfiguration").Bind(settings); }); builder.Services.AddOptions<MyConfigurationSecrets>() .Configure<IConfiguration>((settings, configuration) => { configuration.GetSection("MyConfigurationSecrets").Bind(settings); }); } public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder) { var builtConfig = builder.ConfigurationBuilder.Build(); var keyVaultEndpoint = builtConfig["AzureKeyVaultEndpoint"]; if (!string.IsNullOrEmpty(keyVaultEndpoint)) { // might need this depending on local dev env //var credential = new DefaultAzureCredential( // new DefaultAzureCredentialOptions { ExcludeSharedTokenCacheCredential = true }); // using Key Vault, either local dev or deployed builder.ConfigurationBuilder .SetBasePath(Environment.CurrentDirectory) .AddAzureKeyVault(new Uri(keyVaultEndpoint), new DefaultAzureCredential()) .AddJsonFile("local.settings.json", true) .AddEnvironmentVariables() .Build(); } else { // local dev no Key Vault builder.ConfigurationBuilder .SetBasePath(Environment.CurrentDirectory) .AddJsonFile("local.settings.json", true) .AddUserSecrets(Assembly.GetExecutingAssembly(), true) .AddEnvironmentVariables() .Build(); } } } }
The configurations can then be used like any ASP.NET Core project.
using Microsoft.Azure.WebJobs; using Microsoft.Azure.WebJobs.Extensions.DurableTask; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Options; namespace MyAzureFunctions.Activities { public class MyActivities { private readonly MyConfiguration _myConfiguration; private readonly MyConfigurationSecrets _myConfigurationSecrets; public MyActivities(IOptions<MyConfiguration> myConfiguration, IOptions<MyConfigurationSecrets> myConfigurationSecrets) { _myConfiguration = myConfiguration.Value; _myConfigurationSecrets = myConfigurationSecrets.Value; }
When configuring this in Azure, the app settings need to be added to the Azure APP service hosting the functions.
With this, there is no need to add secrets anymore to the local.settings.json file of the Azure Function projects.
Links:
https://docs.microsoft.com/en-us/azure/azure-functions/durable/
https://github.com/Azure/azure-functions-durable-extension
https://damienbod.com/2019/03/14/running-local-azure-functions-in-visual-studio-with-https/
Microsoft Azure Storage Explorer
Microsoft Azure Storage Emulator
[…] Azure Functions Configuration and Secrets Management – Damien Bowden […]
I have read 2 or 3 stackoverflow questions and at at least 2 blog posts about how to get my local.settings.json working in my V3 AF. None of them worked. My dependency was always null. Then I came across your post. Thank you
thanks for the comment, nice to know that it helped someone.
Greetings Damien
Thanks Damien, this helped me a great deal too about keeping secrets out of source control.
Hi ernieboy
Thanks!
Greetings Damien
The general recommendation is *not* to commit local.settings.json, since it may contain connection strings and other sensitive data.
Hi Tsahi yes you should not commit secrets to any file or anywhere in a github repo. using a hidden file inside your github repo is not a good idea idea as I have experienced this pushed to repos with secrets in it. I recommend using user secrets for development and Azure Key vault for production and to remove all secrets from the github repo (including hidden or non committed files) This is also how ASP.NET Core recommends this. Greetings Damien
This doesnt seem to work for process isolated azure functions. Have you considered using updating the guide to reflect the difference in the configuration?
I haven’t try the latest isolated functions yet, will look at this soon. Greetings Damien
That’s an awful lot of code for something that can be achieved in 4 lines 😉
https://stackoverflow.com/a/75370617/2050637