Get the Secrets
To retrieve the secrets from Azure Key Vault there are two ways. First, by using the azure-keyvault package and second via environment variables.
Package
Add the azure-keyvault and azure-identity package to your Azure Functions App.
pip install azure-identity
pip install azure-keyvault
Within the function use this code
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
credential = DefaultAzureCredential()
client = SecretClient(vault_url="https://<vaultname>.vault.azure.net",
credential=credential)
secret = client.get_secret("<secret-name>")
print(secret.name)
print(secret.value)
Further infos for the Key vault sdk check out Link.
One advatage this approach has over the direct injection into environments variable is that you can update the secret at run time. This by simply refetch the infromation from the vault. [Todo: verify this statement]
Store Secrets as Environment Variables
Alternatively, you can store secrets as environment variables in your Azure Functions App. This is done via the app settings (Link). To do this,
- Go to the Azure Functions App in the Azure Portal, and go to Settings > Configurations.
- Then click on the “New application setting” button.
- Enter the name of the environment variable and for the value secret identifier you copied before. Use below syntax for the value,
@Microsoft.KeyVault(SecretUri=<copied-value>)
Alternatively
@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)