Keeping your connection strings and secrets secure is not necessarily only a concern of just one type of industry. The best practice would be to keep security at the top of your mind regardless of if you are working on an app for a company in the Healthcare space or Finance, Retail, etc….Azure Key Vault can help in doing just that.
If you have ever created an Azure App Service or Azure Function App that uses app settings, then you have dealt with the problem of how you are going to get those settings secure and updated correctly in each environment. You need a secure location to store this information and then be able to access it during your deployment process. Azure Key Vault and using the Azure Key Vault task inside a deployment pipeline in Azure DevOps can solve this problem for you. If you prefer video, then have a look at this as it will walk you through the steps of getting this setup.
What’s the problem?
You want your code ‘bits’ to not have to worry about the configuration items that might change from environment to environment, so being a good developer, you have created variables to protect you from these changing values. Now how do you automate your deployment to consider these changing values? I’d like to suggest using the Azure Key Vault task yaml snippet as part of your yaml pipeline in Azure DevOps and here’s how you can use it.
The Setup
We have the following resources that we are using to demonstrate this setup.
- Azure Function (python, but can be any language)
- Key Vault
- YAML pipeline
This GitHub repo is what we are going to be using as our example:
If you look at the README.md it will give you a good feel for what the repo is doing, but we are going to zoom in to the Key Vault integration.
Azure Function App
You will need to make sure you have a function app created that you can use. There isn’t any special setup you need to do here other than to take note of the app settings that you want to set in your pipeline.
Key Vault
Again, you will need to make sure you have a key vault created in Azure to use and it will need to have at least one secret that you want to set as the app setting. You will also need to make sure that the service connection has Get and List permission in the Key Vaults Access policies.
This is a good place to point out that an Azure Key Vault currently has 2 permission models: Vault access policy and Azure role-based access control (RBAC). The model used in this blog post and video is the Vault access policy, but it could also be accomplished with the RBAC approach. If you are interested in following the RBAC approach, please refer to this document.
Azure-pipelines.yml pipeline
All of the code is located in the GitHub repo listed above, but this pipeline file will need to be used in an Azure DevOps pipeline so you can kick it off to test this process. If you take a look at this file, you can see Azure Key Vault snippet and the parameters use.
Here is a link to the document for the key vault yaml snippet. This code downloads all the secrets from the key vault that you specify. Once you have downloaded all the secrets you can use them throughout the pipeline as you would a typical variable using the key vault secret name as the variable name. See below we are using `blob-storage-connection-secret`.
How to test
To test this, you will just need to run the Azure DevOps pipeline that you created using the `azure-pipelines.yml` file. When that run completes, we can take a look at the output from the `Deploy Function App` step and you will see the following:
The log confirms that your setting was updated and notice that the actual value it’s using to replace is obfuscated from the log to keep your secrets…well secret! Just to double check you can go out to the Azure portal, to the Function App and confirm the setting there. In our case we are looking for this key vault value to be put in the app settings:
Key Vault -> Secret -> blob-storage-connection-secret
Function App Service
That’s it! Thanks for reading and/or watching. Please comment with any questions.