如何自动从Key Vault映射Azure Functions机密 [英] How to map Azure Functions secrets from Key Vault automatically
问题描述
我想知道是否有可能初始化队列触发器甚至是从天蓝色文件库读取的连接字符串的blob触发器.
I was wondering if it's possible to initialize the queue trigger or even the blob trigger off a connection string that is read from azure vault.
现在,我们必须通过刀片属性通过环境设置来设置这些数据连接.但是,我只想使用服务主体来获取天蓝色密钥保管库的令牌,以获取所有这些连接字符串.
Right now, we have to set these data connection via environment settings via blade properties. However, I wanted to just use the service principal to retrieve the token for the azure key vault to get all these connection strings.
我试图弄清楚如何在Java中运行它.
I'm trying to figure how to get this working in java.
谢谢, 德里克
推荐答案
此功能已在此处进行跟踪并在进行中:
This feature is tracked and in progress here:
- Feature request: retrieve Azure Functions' secrets from Key Vault
- Add binding to Key Vault
编辑28/11/2018:当前正在预览
- 以前的答案2018年10月10日
此解决方案不适用于使用消费计划的触发器.
Former answer 07/10/2018 This solution won't work for Triggers using the consumption plan.
同时,我对您的问题进行了一些研究,如果您使用Azure Function v2,则可以从密钥库中读取配置.
In the mean time I did some research about your problem and it is possible to read config from key vault if you use Azure Function v2.
我已经从Visual Studio创建了Azure Functions v2(.NET标准).
I've created an Azure Functions v2 (.NET Standard) from Visual Studio.
它使用:
- NETStandard.Library v2.0.3
- Microsoft.NET.Sdk.Functions v1.0.22
- Microsoft.Azure.WebJobs v3.0.0
- Microsoft.Azure.WebJobs.Extensions.Storage v3.0.0
由于Azure Functions v2使用ASP.NET核心,因此我可以引用此链接来配置我的Functions应用程序以使用Azure Key Vault:
Because Azure Functions v2 uses ASP.NET core, I was able to reference this link to configure my functions app to use Azure Key Vault:
Azure Key Vault ASP.NET Core中的配置提供程序
- 我添加了这个nuget包:
- Microsoft.Extensions.Configuration.AzureKeyVault
- Microsoft.Extensions.Configuration.AzureKeyVault
我已将我的应用程序配置为使用此nuget包:
I've configured my app to use this nuget package:
using Microsoft.Azure.WebJobs; using Microsoft.Azure.WebJobs.Hosting; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using System.Linq; [assembly: WebJobsStartup(typeof(FunctionApp1.WebJobsExtensionStartup), "A Web Jobs Extension Sample")] namespace FunctionApp1 { public class WebJobsExtensionStartup : IWebJobsStartup { public void Configure(IWebJobsBuilder builder) { // Get the existing configuration var serviceProvider = builder.Services.BuildServiceProvider(); var existingConfig = serviceProvider.GetRequiredService<IConfiguration>(); // Create a new config based on the existing one and add kv var configuration = new ConfigurationBuilder() .AddConfiguration(existingConfig) .AddAzureKeyVault($"https://{existingConfig["keyVaultName"]}.vault.azure.net/") .Build(); // replace the existing configuration builder.Services .Replace(ServiceDescriptor.Singleton(typeof(IConfiguration), configuration)); } } }
我的Azure函数使用MSI:
My Azure functions uses MSI:
我已授予我的密钥库中功能应用程序的读取/列出机密"权限:
I've granted Read/List secrets permissions to the function app on my key vault:
我有一个小的队列触发功能:
I have a small queue triggered function:
public static class Function2 { [FunctionName("Function2")] public static void Run([QueueTrigger("%queueName%", Connection = "queueConnectionString")]string myQueueItem, ILogger log) { log.LogInformation($"C# Queue trigger function processed: {myQueueItem}"); } }
queueName
是在local.settings.json
文件中定义的(应用设置刀片一经部署):The
queueName
is defined in thelocal.settings.json
file (App settings blade once deployed):{ "IsEncrypted": false, "Values": { "AzureWebJobsStorage": "UseDevelopmentStorage=true", "FUNCTIONS_WORKER_RUNTIME": "dotnet", "keyVaultName": "thomastestkv", "queueName": "myqueue" } }
queueConnectionString
在我的密钥库中配置:The
queueConnectionString
is configured in my keyvault:这篇关于如何自动从Key Vault映射Azure Functions机密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!