Azure Functions Configuration and Secrets Management

This post shows how to configure Azure Function projects so that no secrets are required in the local.settings.json or in the code. Secrets for the project are saved in the user secrets of the project, or in the app settings of the deployment. The deployment should/can use Azure Key Vault for the secrets and not the app.settings of the deployment (or key vault). The aim is to remove the secrets from the code and the local.settings.json file. I see this committed in many solutions with secrets.

Code: https://github.com/damienbod/AzureDurableFunctions

History

2021-03-07 Update packages and using DefaultAzureCredential for Azure Key vault access

2020-10-23 Updated Azure Functions Configuration

Posts in this series

The local.settings.json file can be used to add app settings for local development in your Azure Function project. In this file, are standard configuration values which are not secrets and this file can be committed to the git repository. In this demo, we added a MyConfiguration class with two values. Note that the configuration is not added inside the Values object. I prefer this.

local.settings.json

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "AzureWebJobsSecretStorageType": "Files",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet",
    "ASPNETCORE_ENVIRONMENT": "Development",
    //"AZURE_TENANT_ID": "your tenant",
    // To use the key vault in local debug, the Firewall needs to allow this
    //"AzureKeyVaultEndpoint": "your azure ad tenant"
    "AzureKeyVaultEndpoint": ""
  },
  "MyConfiguration": {
    "Name": "Lilly",
    "AmountOfRetries": 7
  }
}

The Azure functions project requires the Microsoft.Extensions.Configuration.UserSecrets nuget package to support user secrets for local development.

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>netcoreapp3.1</TargetFramework>
    <AzureFunctionsVersion>v3</AzureFunctionsVersion>
    <UserSecretsId>222f37ac-e563-4ba8-8e33-ee799c456135</UserSecretsId>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Microsoft.Azure.WebJobs.Extensions.DurableTask" Version="2.4.1" />
    <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="3.0.11" />
    <PackageReference Include="Microsoft.Azure.Functions.Extensions" Version="1.1.0" />
    <PackageReference Include="System.Configuration.ConfigurationManager" Version="5.0.0" />

    <PackageReference Include="Microsoft.Extensions.Configuration" Version="3.1.12" />
    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="3.1.12" />
    <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="3.1.12" />

    <PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.0.2" />
    <PackageReference Include="Azure.Identity" Version="1.3.0" />
    <PackageReference Include="Azure.Security.KeyVault.Certificates" Version="4.1.0" />
    <PackageReference Include="Microsoft.Azure.Services.AppAuthentication" Version="1.6.1" />
  </ItemGroup>
  <ItemGroup>
    <None Update="host.json">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
    </None>
    <None Update="local.settings.json">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
      <CopyToPublishDirectory>Never</CopyToPublishDirectory>
    </None>
  </ItemGroup>
</Project>

In the secrets json file which is in your profile and not the source code, you can add the super secrets.

{
  "MyConfigurationSecrets": {
    "MySecretOne": "secret one",
    "MySecretTwo": "secret two"
  }
}

The Azure Functions project uses DI and so has a Startup class which inherits from the FunctionsStartup class. The configuration is setup using the ConfigurationBuilder and uses the optional Json files and the optional user secrets. It is important that these are optional. The configuration classes are added using the IOption interface.

using Microsoft.Azure.Functions.Extensions.DependencyInjection;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using MyAzureFunctions;
using MyAzureFunctions.Activities;
using System;
using System.Reflection;

[assembly: FunctionsStartup(typeof(Startup))]

namespace MyAzureFunctions
{
    public class Startup : FunctionsStartup
    {
        public override void Configure(IFunctionsHostBuilder builder)
        {
            builder.Services.AddScoped<MyActivities>();

            builder.Services.AddOptions<MyConfiguration>()
                .Configure<IConfiguration>((settings, configuration) =>
                {
                    configuration.GetSection("MyConfiguration").Bind(settings);
                });

            builder.Services.AddOptions<MyConfigurationSecrets>()
                .Configure<IConfiguration>((settings, configuration) =>
                {
                    configuration.GetSection("MyConfigurationSecrets").Bind(settings);
                });
        }

        public override void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
        {
            var builtConfig = builder.ConfigurationBuilder.Build();
            var keyVaultEndpoint = builtConfig["AzureKeyVaultEndpoint"];

            if (!string.IsNullOrEmpty(keyVaultEndpoint))
            {
                // might need this depending on local dev env
                //var credential = new DefaultAzureCredential(
                //    new DefaultAzureCredentialOptions { ExcludeSharedTokenCacheCredential = true });

                // using Key Vault, either local dev or deployed
                builder.ConfigurationBuilder
                        .SetBasePath(Environment.CurrentDirectory)
                        .AddAzureKeyVault(new Uri(keyVaultEndpoint), new DefaultAzureCredential())
                        .AddJsonFile("local.settings.json", true)
                        .AddEnvironmentVariables()
                    .Build();
            }
            else
            {
                // local dev no Key Vault
                builder.ConfigurationBuilder
                   .SetBasePath(Environment.CurrentDirectory)
                   .AddJsonFile("local.settings.json", true)
                   .AddUserSecrets(Assembly.GetExecutingAssembly(), true)
                   .AddEnvironmentVariables()
                   .Build();
            }
        }
    }
}

The configurations can then be used like any ASP.NET Core project.

using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.DurableTask;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;

namespace MyAzureFunctions.Activities
{
    public class MyActivities
    {
        private readonly MyConfiguration _myConfiguration;
        private readonly MyConfigurationSecrets _myConfigurationSecrets;

        public MyActivities(IOptions<MyConfiguration> myConfiguration, 
            IOptions<MyConfigurationSecrets> myConfigurationSecrets)
        {
            _myConfiguration = myConfiguration.Value;
            _myConfigurationSecrets = myConfigurationSecrets.Value;
        }

When configuring this in Azure, the app settings need to be added to the Azure APP service hosting the functions.

With this, there is no need to add secrets anymore to the local.settings.json file of the Azure Function projects.

Links:

https://docs.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings

https://docs.microsoft.com/en-us/azure/azure-functions/durable/

https://github.com/Azure/azure-functions-durable-extension

https://damienbod.com/2019/03/14/running-local-azure-functions-in-visual-studio-with-https/

Microsoft Azure Storage Explorer

Microsoft Azure Storage Emulator

Install the Azure Functions Core Tools

NodeJS

Azure CLI

Azure SDK

Visual Studio zure development extensions

10 comments

  1. […] Azure Functions Configuration and Secrets Management – Damien Bowden […]

  2. Pat Long · · Reply

    I have read 2 or 3 stackoverflow questions and at at least 2 blog posts about how to get my local.settings.json working in my V3 AF. None of them worked. My dependency was always null. Then I came across your post. Thank you

    1. thanks for the comment, nice to know that it helped someone.

      Greetings Damien

  3. ernieboy · · Reply

    Thanks Damien, this helped me a great deal too about keeping secrets out of source control.

    1. Hi ernieboy

      Thanks!

      Greetings Damien

  4. Tsahi Asher · · Reply

    The general recommendation is *not* to commit local.settings.json, since it may contain connection strings and other sensitive data.

    1. Hi Tsahi yes you should not commit secrets to any file or anywhere in a github repo. using a hidden file inside your github repo is not a good idea idea as I have experienced this pushed to repos with secrets in it. I recommend using user secrets for development and Azure Key vault for production and to remove all secrets from the github repo (including hidden or non committed files) This is also how ASP.NET Core recommends this. Greetings Damien

  5. hsadjdsjkuf · · Reply

    This doesnt seem to work for process isolated azure functions. Have you considered using updating the guide to reflect the difference in the configuration?

    1. I haven’t try the latest isolated functions yet, will look at this soon. Greetings Damien

  6. That’s an awful lot of code for something that can be achieved in 4 lines 😉

    https://stackoverflow.com/a/75370617/2050637

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: