Skip to main content
Version: Next

Using secret store within Azure Functions

This separate documentation section explains how the Arcus secret store can be used within Azure Functions environments (both in-process and isolated).

Using secret store within in-process Azure Functions#

To more easily configure the secret store, we provided a dedicated package that builds on top of the IFunctionsHostBuilder:

Installation#

For this feature, the following package needs to be installed:

PM > Install-Package Arcus.Security.AzureFunctions

Usage#

The secret stores are configured during the initial application build-up in the Startup.cs:

using Microsoft.Azure.Functions.Extensions.DependencyInjection;using Microsoft.Extensions.Configuration;using Microsoft.Extensions.DependencyInjection;
[assembly: FunctionsStartup(typeof(Startup))]
namespace MyHttpAzureFunction{    public class Startup : FunctionsStartup    {        public override void Configure(IFunctionsHostBuilder builder)        {            builder.ConfigureSecretStore((FunctionsHostBuilderContext context, IConfiguration config, SecretStoreBuilder stores) =>            {                var keyVaultName = config["KeyVault_Name"];                stores.AddEnvironmentVariables()                      .AddAzureKeyVaultWithManagedIdentity($"https://{keyVaultName}.vault.azure.net");            })        }    }}

Once the secret providers are defined, the ISecretProvider can be used as any other registered service:

using Arcus.Security.Core;
namespace Application{    public class MyHttpTrigger    {        public MyHttpTrigger(ISecretProvider secretProvider)        {        }
        [FunctionName("MyHttpTrigger")]        public async Task<IActionResult> Run(            [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,            ILogger log)        {            return new OkObjectResult("Response from function with injected dependencies.");        }    }}

Using secret store within isolated Azure Functions#

Since isolated Azure Functions are built with the default HostBuilder, the general secret store packages can be used in this environment. No need to install the dedicated Arcus.Security.AzureFunctions package.

Usage#

Using the available extensions on the HostBuilder or IServiceCollection, the secret store can be added, just like a Web API or console application.

var host = new HostBuilder()    .ConfigureFunctionsWorkerDefaults(builder =>    {            })   .ConfigureSecretStore((context, config, stores) =>   {        builder.AddEnvironmentVariables()               .AddAzureKeyVaultWithManagedIdentity($"https://{keyVaultName}.vault.azure.net");   })    .Build();

Once the secret providers are defined, the ISecretProvider can be used as any other registered service:

using Arcus.Security.Core;
namespace Application{    public class MyHttpTrigger    {        public MyHttpTrigger(ISecretProvider secretProvider)        {        }
        [Function("MyHttpTrigger")]        public HttpResponseData Run(            [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequestData req,            ILogger log)        {            var response = req.CreateResponse(HttpStatusCode.OK);            return response;        }    }}