如何从 Key Vault 自动映射 Azure Functions 机密 [英] How to map Azure Functions secrets from Key Vault automatically
问题描述
我想知道是否可以从从 azure vault 读取的连接字符串中初始化队列触发器甚至 blob 触发器.
现在,我们必须通过刀片属性通过环境设置来设置这些数据连接.但是,我只想使用服务主体来检索 azure key vault 的令牌以获取所有这些连接字符串.
我正在尝试如何在 java 中实现这一点.
谢谢,德里克
此功能已在此处跟踪并正在进行中:
我已向我的密钥保管库上的函数应用授予读取/列出机密权限:
我有一个小队列触发函数:
公共静态类 Function2{[函数名称(函数 2")]公共静态无效运行([QueueTrigger(%queueName%",Connection =queueConnectionString")]string myQueueItem,ILogger日志){log.LogInformation($"C# 队列触发函数处理:{myQueueItem}");}}queueName在local.settings.json文件中定义(部署后的应用设置刀片):<代码>{IsEncrypted":假,价值观":{AzureWebJobsStorage":UseDevelopmentStorage=true",FUNCTIONS_WORKER_RUNTIME":dotnet",keyVaultName":thomastestkv",队列名称":我的队列";}}queueConnectionString在我的 keyvault 中配置:I was wondering if it's possible to initialize the queue trigger or even the blob trigger off a connection string that is read from azure vault.
Right now, we have to set these data connection via environment settings via blade properties. However, I wanted to just use the service principal to retrieve the token for the azure key vault to get all these connection strings.
I'm trying to figure how to get this working in java.
Thanks, Derek
解决方案This feature is tracked and in progress here:
EDIT 28/11/2018: It is currently in preview
Former answer 07/10/2018 This solution won't work for Triggers using the consumption plan.
In the mean time I did some research about your problem and it is possible to read config from key vault if you use Azure Function v2.
I've created an Azure Functions v2 (.NET Standard) from Visual Studio.
It uses:
- NETStandard.Library v2.0.3
- Microsoft.NET.Sdk.Functions v1.0.22
- Microsoft.Azure.WebJobs v3.0.0
- Microsoft.Azure.WebJobs.Extensions.Storage v3.0.0
Because Azure Functions v2 uses ASP.NET core, I was able to reference this link to configure my functions app to use Azure Key Vault:
Azure Key Vault configuration provider in ASP.NET Core
- I've added this nuget package:
I've configured my app to use this nuget package:
using Microsoft.Azure.WebJobs; using Microsoft.Azure.WebJobs.Hosting; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; using System.Linq; [assembly: WebJobsStartup(typeof(FunctionApp1.WebJobsExtensionStartup), "A Web Jobs Extension Sample")] namespace FunctionApp1 { public class WebJobsExtensionStartup : IWebJobsStartup { public void Configure(IWebJobsBuilder builder) { // Get the existing configuration var serviceProvider = builder.Services.BuildServiceProvider(); var existingConfig = serviceProvider.GetRequiredService<IConfiguration>(); // Create a new config based on the existing one and add kv var configuration = new ConfigurationBuilder() .AddConfiguration(existingConfig) .AddAzureKeyVault($"https://{existingConfig["keyVaultName"]}.vault.azure.net/") .Build(); // replace the existing configuration builder.Services .Replace(ServiceDescriptor.Singleton(typeof(IConfiguration), configuration)); } } }My Azure functions uses MSI:
I've granted Read/List secrets permissions to the function app on my key vault:
I have a small queue triggered function:
public static class Function2 { [FunctionName("Function2")] public static void Run([QueueTrigger("%queueName%", Connection = "queueConnectionString")]string myQueueItem, ILogger log) { log.LogInformation($"C# Queue trigger function processed: {myQueueItem}"); } }The
queueNameis defined in thelocal.settings.jsonfile (App settings blade once deployed):{ "IsEncrypted": false, "Values": { "AzureWebJobsStorage": "UseDevelopmentStorage=true", "FUNCTIONS_WORKER_RUNTIME": "dotnet", "keyVaultName": "thomastestkv", "queueName": "myqueue" } }The
queueConnectionStringis configured in my keyvault:这篇关于如何从 Key Vault 自动映射 Azure Functions 机密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
